How to decrypt TLS 1.3 handshake when server is under control

Dear,

I want to decrypt TLS 1.3 handshake messages captured by wireshark. The server (apache) is under my control, but not the client. Since I have no control over the client I can't use pre shared keys.

Question: Which information do I need to log on the server, in order to be able to decrypt the captured handshake messages?

Thanks in advance.

Regards, Ralph

On a linux server one can use "openssl s_server" in order to obtain the keys. I used the command

# openssl s_server  -port 443 -cert <path to cert.pem> -key <path to privkey.pem> -CAfile <path to chain.pem>   -keylogfile <path to keylog file>

The values in < ...> have to be replaced by your settings. The schedule for decrypting TLS traffic is:

start the openssl s_server by the command above
start capturing with Wireshark
establish TLS connection to the openssl server (e.g. send https message)
stop capturing
in wireshark: "edit -> preferences -> protocols -> TLS -> (pre)-master-secret log filename" select the keylog file from 1.

Then the messages are decrypted by Wireshark.

Ralph

answered 2019-04-08 12:04:18 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

How to decrypt TLS 1.3 handshake when server is under control edit

Comments

1 Answer

Comments