Decrypting SSL/TLS
So far we have learned how the SSL/TLS protocol encrypts traffic and maintains confidentiality. In the next section, we will cover how Wireshark helps to decrypt SSL/TLS traffic.
Decrypting RSA traffic
Decryption of TLS traffic depends upon which cipher suite was chosen by the server in the Server Hello message. Open the file decrypt-ssl-01.pcap and look for the cipher selected by the server. In this case the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite was used; since this is RSA, we can decrypt the packet using our private key.
Now go to Edit | Preferences | Protocol | SSL, add the new RSA key, and configure the following properties of the RSA key dialog box:
The Private key file (here,
server.key, which is used by the server).The IP address of the server.
The port of the SSL/TLS server (
443).The decoding protocol—use
httpin this case.
After applying these settings, the SSL traffic will be decoded into HTTP traffic for that IP, as shown in the following screenshot:
Once the packet...
