Fwd: Trying to generate a RSA private key

mary mary maryryma4 at gmail.com
Wed Feb 16 19:19:13 UTC 2022

Hi Victor,
Thanks for advising me and for the links.
I'm learning a lot, despite the bad news ....


Kind regards


Il giorno mer 16 feb 2022 alle ore 15:30 Viktor Dukhovni <
openssl-users at dukhovni.org> ha scritto:

> On Wed, Feb 16, 2022 at 11:16:03AM +0100, mary mary wrote:
> > But now the issue would become different, and I'll try to share it
> > possibly even if the subject changes, in case i could get advice.  I
> > needed the private key for adding it in wireshark for decoding some
> > encrypted messages exchanged between "my" server and a client.  If the
> > private key does not exist, how we could decode the messages?
> Well, now that we're past the XY problem, there's good news and bad
> news.
> Good news:
>     * If you control the server, the server's private key is typically
>       stored in the server's private key file (possible same as its
>       certificate file).  If the server is OpenSSL rather than Java
>       based, it would typically already be in PEM format, ...
> Bad news:
>     * Even with the server's private key, you generally can't decrypt TLS
>       traffic, when, as is typical and best-practice, the negotiated
>       cipher has forward-secrecy (uses DH or ECDH key exchange).
> To actually decode the traffic, you'd need to configure the server or
> client to record the session "master secret".  A client-side example
> is discussed in:
> https://resources.infosecinstitute.com/topic/decrypting-ssl-tls-traffic-with-wireshark/
> Alternatively, In the blog post at:
> https://blog.didierstevens.com/2020/12/14/decrypting-tls-streams-with-wireshark-part-1/
> there's an example which downgrades the client TLS parameters to use at
> most TLS 1.2 and RSA key transport (instead of DH), which then makes it
> it possible to use the server's private key to decrypt the traffic.
> --
>     Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220216/595b61fa/attachment.htm>

More information about the openssl-users mailing list