i have traffic between clients (which send XML over https) to my IIS. i tried to decrypt the traffic using wire shark and the next settings : add the Private Key :
but even after setting this i see can't see the decrypted data :
should i do any other settings to see the original data?
If you look at Wireshark, you will see a client hello packet right after the three-way handshake. You can also see the TLS version, 28-byte random number, all supported cipher suites, and session ID in the packet.
At the same time, TLS 1.2 provides improvements to both the client's and the server's ability to designate algorithms for the hash and the signature. TLS 1.2 also supports increased authentication encryption and adds TLS extensions and AES cipher suites.
There is strong possibility that a Diffie-Hellman (DH) key exchange is being used here. In that case Wireshark cannot decipher SSL/TLs with a private key. You can check for this in the handshake packet.
From the Docs:
The RSA private key file can only be used in the following
circumstances:
- The cipher suite selected by the server is not using (EC)DHE.
- The protocol version is SSLv3, (D)TLS 1.0-1.2. It does not work with TLS 1.3.
- The private key matches the server certificate. It does not work with the client certificate, nor the Certificate Authority (CA)
certificate.- The session has not been resumed. The handshake must include the ClientKeyExchange handshake message.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With