Use OpenSSL to decrypt TLS session from PCAP files

Matt Caswell matt at openssl.org
Tue Dec 8 15:46:00 UTC 2020



On 08/12/2020 15:28, Oren Shpigel wrote:
> Hi, thanks for the answer.
> 
> I know wireshark and ssldump have this capability, but I'm looking for a
> way to do it in my own software in C++, (using OpenSSL, if possible, but
> open to other suggestions as well).

Unfortunately OpenSSL does not support this capability. It obviously
supports all the required low-level crypto primitives to do it - but you
would have to put them together yourself, as well as do all the packet
parsing, etc. This would be ... difficult. :-)

Matt


> 
> On Tue, Dec 8, 2020 at 4:32 PM Dr. Matthias St. Pierre
> <Matthias.St.Pierre at ncp-e.com <mailto:Matthias.St.Pierre at ncp-e.com>> wrote:
> 
>     Do you need to integrate the decryption into your own software, or
>     are you just looking for a possibility to monitor and view the
>     traffic?____
> 
>     If it’s the latter, try and take a look at the SSL decryption
>     support that Wireshark provides. ____
> 
>     __ __
> 
>     https://wiki.wireshark.org/TLS____
> 
>     https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/____
> 
>     __ __
> 
>     __ __
> 
>     hth,____
> 
>     Matthias____
> 
>     __ __
> 
>     Disclaimer: I haven’t used it for TLS myself, only for IPsec, and I
>     can’t tell how up-to-date it is, in particular whether it is TLS 1.3
>     ready.____
> 
>     __ __
> 
>      
> 
>     *NCP engingeering GmbH* 	** 	*Dr. Matthias St. Pierre*
> 
>     Senior Software Engineer
>     matthias.st.pierre at ncp-e.com <mailto:matthias.st.pierre at ncp-e.com>
>     Phone: +49 911 9968-0
>     www.ncp-e.com <http://www.ncp-e.com>
> 
>     *
>     Follow us on:* Facebook <https://www.facebook.com/NCPengineering> |
>     Twitter <https://twitter.com/NCP_engineering> | Xing
>     <https://www.xing.com/companies/ncpengineeringgmbh> | YouTube
>     <https://www.youtube.com/user/NCPengineeringGmbH> | LinkedIn
>     <http://www.linkedin.com/company/ncp-engineering-inc.?trk=cws-cpw-coname-0-0>
> 
>     *Headquarters Germany: *NCP engineering GmbH • Dombuehler Str. 2 •
>     90449 • Nuremberg
>     *North American HQ:* NCP engineering Inc. • 601 Cleveland Str.,
>     Suite 501-25 • Clearwater, FL 33755
> 
>     Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate
>     Dietrich
>     Registry Court: Lower District Court of Nuremberg
>     Commercial register No.: HRB 7786 Nuremberg, VAT identification No.:
>     DE 133557619
> 
>     This e-mail message including any attachments is for the sole use of
>     the intended recipient(s) and may contain privileged or confidential
>     information. Any unauthorized review, use, disclosure or
>     distribution is prohibited. If you are not the intended recipient,
>     please immediately contact the sender by reply e-mail and delete the
>     original message and destroy all copies thereof.
> 
>     <https://www.ncp-e.com/de/aktuelles/events/veranstaltungen><https://www.ncp-e.com/de/aktuelles/events/veranstaltungen>
> 
> 
>     *From**:*openssl-users <openssl-users-bounces at openssl.org
>     <mailto:openssl-users-bounces at openssl.org>> *On Behalf Of *Oren Shpigel
>     *Sent:* Tuesday, December 8, 2020 3:15 PM
>     *To:* openssl-users at openssl.org <mailto:openssl-users at openssl.org>
>     *Subject:* Use OpenSSL to decrypt TLS session from PCAP files____
> 
>     __ __
> 
>     Hi, ____
> 
>     I generated a PCAP file with TLS session, and I have the matching
>     private key used by my HTTPS server.
>     The TLS session is not using DH for key exchange, so it should be
>     possible to decrypt.
>     I know OpenSSL can be used to connect to a socket to "actively"
>     handle the TLS session, but is there a way to "passively" decode and
>     decrypt a session?
>     How can I "feed" the packets (both directions) into the OpenSSL
>     library?____
> 
>     Thanks!____
> 


More information about the openssl-users mailing list