Hello. I am trying to decrypt the SSL/TLS an application is making. I have my host running wireshark and charles proxy as well as the app I am trying to investigate the packets. I have CharlesProxy, proxying the host and have trusted the cert. Charles proxy can successfully view decrypted ssl https requests. However I can't get Wireshark to decrypt anything, can't get it to decrypt the https nor what I am really interested in, the SIP packets. I can't seem to get Wireshark to decrypt the packets. I have exported the charles proxy certificate and under Wireshark settings, Protocols, SSL, then RSA Key List, I then set the following values; IP address: any, port: , Protocol: , Key File: /directory/to/charlesproxy/cert.p12, Password: Password that I set in charles proxy when exporting the cert. That did not work. I also tried using openssl to convert the cert into a .pem file so I could read the decrypted private key, then copying that into a separate file that only contained the "beginning private key" and "ending private key". Then plugging that into Wireshark SSL settings. However both ways yielded no results, all TLS packets seems to be encrypted. Can someone confirm which method is correct. The only other thing I can think of is at one point i thought I saw some packet say the cipher was switched to EC DH which I know WireShark doesn't support. If I have followed the correct method for getting it to decrypt, is there anyway to force the applications/ charles proxy not to use EC DH? *May have been EC DHE, I appear to not have saved that capture. Any help or advice would be appreciated, I have been scratching my head for a couple days now!
*Please let me know if any further clarification is needed
No comments:
Post a Comment