How do I enable HTTPS traffic decryption?

Can Wireshark decrypt HTTPS?

This is a discussion on ?

Within the Networking/Wireshark/TLS subforums of TechRepublic Community forums, part of the TechRepublic Community. Share your opinion about this question by posting in the comment section below.

I have some issues with a web server that's running https:// as a tunnel to another (non-https) server. My goal is to capture traffic between this https server and the https server behind it, even though these two servers are on different IPs, so I can find out what's going on between them. Is this possible with Wireshark? I'm using Wireshark version 1.4.2 (Ubuntu 14.04) and openssl version 1.1c.

The first problem is that the HTTPS traffic appears to be encrypted with a self-signed certificate. The second problem is that Wireshark appears to be unable to decrypt the traffic. The third problem is that the https server behind it doesn't respond to HTTP requests. Does Wireshark have a way of decrypting SSL or TLS traffic? If it does, how do I configure it to do so? If it doesn't, how can I decrypt the traffic between this https server and the https server behind it? Re: Can Wireshark decrypt HTTPS? That means that all data sent by this server is encrypted. This makes it very difficult for a sniffer to capture the data.

However, Wireshark does not decrypt SSL/TLS traffic, and you will only see the encrypted traffic if you connect to the server through a VPN or other means of encryption. When you use the https server through a VPN, the traffic between the server and the internet will appear to be encrypted, since the traffic is protected by the VPN. Wireshark will see all data sent from the server to the internet as encrypted.

To be able to capture the encrypted data sent from the server to the internet, the server has to have an IP address in the same subnet as your laptop. In other words, if you have an internet connection provided by your ISP, the server can not send its data to the internet because the server has a different IP address than your computer.

How do I enable HTTPS traffic decryption?

There are two ways to force your users to use https, and two ways to decrypt https traffic.

Encrypt the traffic using SSL/TLS with mutual authentication (eg X.509 certificates) Decrypt traffic using a client certificate on a remote server. This is how most browsers do it.

Since you're using Windows I'll assume the latter. If you use Chrome for Windows you can install the Chrome Web Store and download the Chrome Remote Desktop Extension. It'll allow you to log into a server with a specific client certificate.

How to enable decryption on Wireshark?

This article is a follow up to How to use wireshark to debug HTTPS.

This time we are going to see how to use Wireshark to decrypt TLS/SSL handshake and what are the pitfalls. But first let us take a look at what is involved when a client connects to an HTTPS server:

Step 0: The client sends a Client Hello (A0C) to the server: It doesn't look to difficult but the first thing you need to know is there are two sets of data that needs to be send to the server during the handshake: Client Hello (50 bytes long) Client Certificate (20 bytes long). You can see that the size of the handshakes can vary from client to client. This is because some clients might want to negotiate a certificate for the server too and not just encrypt the conversation. So this means a single handshake can have a different number of different lengths depending on the negotiation. But the total packet size will always be 50 bytes (as seen above).

When the server gets the Client Hello (A0C) it will first check whether the client has a certificate or a certificate request from the client (D3A). If the client does have a certificate (D0DA), it will read it into a Certificate message (A4EA). If the client does not have a certificate, it'll instead send a certificate request (BBAB). As seen in the picture above, for the client and the server can negotiate which kind of certificate is used. If a certificate is sent by the client, a CertificateMsg (B0BA) message will also be send. If no certificate is sent, a CertificateReq (A0BB) message will be sent. All these types are described in more details below.

The certificate (if any) is then encrypted by the client to make sure only the intended server can access it. This is done by calculating a shared key (B3A8) by XORing the server name with the public key of the server certificate. The certificate is then encrypted (C3B0) using the shared key.

After the handshake and the establishment of the shared key, we get to step 1: The Client Finished (A0E6). This is the final message sent from the client.

How do I see HTTPS traffic in Wireshark?

I've tried to open a HTTPS connection with a self-signed SSL certificate in Wireshark.

Everything went fine, until I opened the page after, I got: Wireshark has an invalid certificate. The certificate is from VeriSign. I'm unable to find any of the .cer and .pem files.

If I do openssl sclient -host "ssl://www.domain.com/" -cert ./servercert.pem -cipher -quiet -showcerts I get two lines as output and three additional lines containing just a single question mark(?), which is all SSL traffic that got to the server.

If I do openssl sclient -tls1 -host "ssl://www.pem -cipher I get the same output, but also one empty line as a third output.

Wireshark does seem to have a lot of extra stuff in it, what's causing this, I can't see any more SSL traffic but yet there is. Where is all the SSL data stored? The only thing that tells Wireshark is that I must be on a secure port, I'm on 443. I did have SSL off before but turned it back on yesterday after my last post.

Please help me! :). P. This may be very easy to do for others, but I never had any programming experience or I really don't know how to even start, I am here trying to learn.

When you visit it will try to establish an SSL connection with an intermediary that's called an SSL Proxy. To understand how this works, consider the scenario when you visit the URL without actually going through a proxy. First the website contacts an intermediary that forwards all the information to (eg the URL is /index.php). When then connects to actual website. The proxy will take note of any data that was sent by the browser, like the cookies or authentication info (username, password, etc.