I'm working on an issue with HTTPS. I suspect its related to client certificates. I want to read some of the encrypted handshake messages that follows the ServerHelloDone
message. (Once the ServerHelloDone
is sent, the stream usually switches to encrypted):
The Wireshark trace was generated with s_client
:
$ echo -e "GET / HTTP/1.1\nHost:example.net\n" | openssl s_client -connect example.net:443 -ssl3 -ign_eof -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
...
---
Certificate chain
0 s:/C=ES/ST=Malaga/L=Malaga/O=Example, LLC/CN=www.example.net/OU=Example IT
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExjCCA66gAwIBAgIQeee0uwSySeNXOkI+BUoMMzANBgkqhkiG9w0BAQUFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
...
doLsKI2R6RQA/7IcuTpKkvLF5wYKvmocPxYVg9FOoFvKV0wjWo6qlwsANPAVov+7
zFzZreROa7lBj8UH0IyYjLmBrbe1yMr/Cmg=
-----END CERTIFICATE-----
...
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-SHA
Session-ID: 663C000068D5E2DFCC69EE1FA40489927A80EFE118703BBAD28E1E81EDD02B15
Session-ID-ctx:
Master-Key: ACB5F8C6302DE96555A680FBD37A83CBF81087368685A36B2B04E23A822E403CDF35FAACF959F55107AC4641AE1531DB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407443412
Timeout : 7200 (sec)
Verify return code: 0 (ok)
...
read R BLOCK
HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /Login/Login
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 07 Aug 2014 20:29:46 GMT
Content-Length: 129
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Login/Login">here</a>.</h2>
</body></html>
^C
Because the Wireshark trace was generated with s_client
, I have the master key for the session. I have the master key because s_client
printed it to the terminal. NOTE: I don't claim anything about the server's public or private key. I only claim to have a key for this session.
I visited Secure Socket Layer (SSL) on the Wireshark wiki, but it does not say how to plug the master key into the GUI. (They do discuss how to use it, but its not related to the GUI).
Is there a way to plug the master key into the Wireshark GUI so I can read the encrypted traffic?
From above, I have the master key.
, no, you don't. You have the public key. That means you can encrypt content. The private key is on the remote server, and you can't get it, unless you happen to own that server.s_client
dumps the master key for the session. I have it becauses_client
prints it to the terminal. (Related: I'm not sure if that's the pre-master secret or the master secret, but I'll work that out if needed).