Wireshark-users: Re: [Wireshark-users] how to decrypt TLSv1 traffic

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 9 Jun 2008 23:00:14 +0200
On Mon, Jun 09, 2008 at 04:23:49PM -0400, Nik Kolev wrote:
> 
> I saw a blog post somewhere discussing that you can "pass" the path to
> the file which stores the negotiated encryption key to wireshark and
> (given that wireshark has been linked against a given library) get the
> encrypted payload decrypted. I don't know if this applies to my scenario
> (not sure whether IE writes the key to the file system,...)...

With most ciphers (including the one that was chosen in the
displayed server-hello), wireshark can do the decryption when it
you supply the private key of the server (see the ssl protocol
preferences).

There is no support (yet?) for supplying the negotiated keys directly.
This means you *need* to be able to get hold of the private key and
the cipher used must not use Diffie-Hellman, because in that case
the negotiated keys cannot be determined by network traffic combined 
with the private key.

I'm not sure if and how IE or Firefox can be directed to dump the
negotiated keys. If this is possible, support for supplying the 
negotiated keys might be a nice improvement to (wire|t)shark indeed :-)

Cheers,
    Sake