Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating

From: "DePriest, Jason R." <jrdepriest@xxxxxxxxx>
Date: Fri, 8 Feb 2008 22:41:24 -0600
On Feb 8, 2008 5:11 PM, Sake Blok <> wrote:
> On Fri, Feb 08, 2008 at 08:38:45PM +0000, DePriest, Jason R. wrote:
> > On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> > > On Thu, Feb 07, 2008 at 11:40:12PM -0600, DePriest, Jason R. wrote:
> > >
> > > In case it is a full proxy, have you tried using the following
> > > in the ssl protocol settings?
> > >
> > > <ip-of-proxy>,<proxy-port>,http,<keyfile>
> >
> > It is a full proxy auto-configured by PAC using a wpad.dat file.
> >
> > I had already tried the exact syntax you propose.  The problem seems
> > to be getting the right <keyfile> from the proxy.
> >
> > ssl_init keys string:
> > 10.70.4.5,8080,http,C:\Program Files\Wireshark\proxy-key.pem
> > ssl_init found host entry 10.70.4.5,8080,http,C:\Program
> > Files\Wireshark\proxy-key.pem
> > ssl_init addr 10.70.4.5 port 8080 filename C:\Program
> > Files\Wireshark\proxy-key.pem
> > ssl_load_key: can't import pem data
>
> Does your "proxy-key.pem" file has a similar heading like this:
>
> -----BEGIN RSA PRIVATE KEY-----
> MIICXQIBAAKBgQDDheBxxgRp9Zg/D6pGzTEx0sn4C6vkLj/ftPp62XVD8Af7VbE7
>
> If not, you need to fiddle around with OpenSSL some more.
>
> If it looks like a binary file the key is probably in DER format.
> Try: openssl rsa -in proxy-key.pem -inform DER -out proxy-key-pem.pem
>
> If it looks something like:
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,0F30F91E577C7C84
>
> scqGvyiks3J+eIluLMtIRwHRBqGhN+zE1yez4SZ9373C9ttZkWPWVX0ULl1XUkjV
>
> Then the key is protected by a passphrase and unfortunately Wireshark
> is not (yet?) able to read passphrase protected key files.
> You can strip the passphrase with:
>
> openssl rsa -in proxy-key.pem -out proxy-key-cleartext.pem
>
>
> Hope this helps,
>
> Cheers,
>     Sake

Unfortunately, I didn't get this before heading home.

The file I copied from the Blue Coat was in .cer format (that is, if I
stuck it in a file with a .cer extension, Windows could open it and
understand it), but didn't have an RSA header.  I can't remember what
it said, but it wasn't RSA.

I'll check it on Monday.

-Jason