Fatal编程技术网
  • networking/
  • Networking 如何解密wireshark pcapng日志文件中的TLS/SSL包内容?

Networking 如何解密wireshark pcapng日志文件中的TLS/SSL包内容?

networking certificate

Networking 如何解密wireshark pcapng日志文件中的TLS/SSL包内容?,networking,certificate,ssl-certificate,wireshark,wireshark-dissector,Networking,Certificate,Ssl Certificate,Wireshark,Wireshark Dissector,我手头有PEM密钥和RSA密钥,当我试图分析登录到我的网络节点上的wireshark pcapng文件时,tls加密的tls/ssl包内容无法解密,如下所示: Certificate: Data: Version: 3 (0x2) Serial Number: 17:.......................:5d Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washing

我手头有PEM密钥和RSA密钥,当我试图分析登录到我的网络节点上的wireshark pcapng文件时,tls加密的tls/ssl包内容无法解密,如下所示:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        17:.......................:5d
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, ST=Washington, L=Seattle, O=changeme changeme Company, OU=IT, CN=changeme Corporate Issuing CA 01
    Validity
        Not Before: Sep  9 09:27:27 2019 GMT
        Not After : Sep  8 09:27:27 2020 GMT
    Subject: C=US, ST=DC, L=ST, O=changeme changeme Company, OU=IT, CN=cmeptgapp.changeme.net
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00..........................................d4:
                ..............
                eb..........................................af:
                44:6f
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            FA:58:...................3C:88
        X509v3 Authority Key Identifier: 
            keyid:AB:1......................................:21

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.changeme.com/pki/tdtd

        Authority Information Access: 
            CA Issuers - URI:http://crl.changeme.com/pki/dtfh.crt
            OCSP - URI:http://whoknows.changeme.com/whoknows
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        1.3............d...
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        1............10: 
           .
        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.45807.509.1.2
              CPS: http://nobody.changeme.com/policies/nobodykonows.html

        X509v3 Subject Alternative Name: 
            DNS:cmeptgapp.changeme.net
Signature Algorithm: sha256WithRSAEncryption
     05................................................:e4:
     ......................................................................
     ...................................................:7b

使用openssl(x509)打印的pem密钥信息如下所示:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        17:.......................:5d
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, ST=Washington, L=Seattle, O=changeme changeme Company, OU=IT, CN=changeme Corporate Issuing CA 01
    Validity
        Not Before: Sep  9 09:27:27 2019 GMT
        Not After : Sep  8 09:27:27 2020 GMT
    Subject: C=US, ST=DC, L=ST, O=changeme changeme Company, OU=IT, CN=cmeptgapp.changeme.net
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00..........................................d4:
                ..............
                eb..........................................af:
                44:6f
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            FA:58:...................3C:88
        X509v3 Authority Key Identifier: 
            keyid:AB:1......................................:21

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.changeme.com/pki/tdtd

        Authority Information Access: 
            CA Issuers - URI:http://crl.changeme.com/pki/dtfh.crt
            OCSP - URI:http://whoknows.changeme.com/whoknows
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        1.3............d...
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        1............10: 
           .
        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.45807.509.1.2
              CPS: http://nobody.changeme.com/policies/nobodykonows.html

        X509v3 Subject Alternative Name: 
            DNS:cmeptgapp.changeme.net
Signature Algorithm: sha256WithRSAEncryption
     05................................................:e4:
     ......................................................................
     ...................................................:7b
我已尝试通过以下方式解密包内容:

1。编辑wireshark/preference/protocol/ssl/RSA密钥

2.editcap命令

但不幸的是没有人工作,可能是我用错了命令。如何解决这个问题?

客户端和服务器可能使用完美的前向保密性(如ECDH、DHE-RSA、ECDHE-RSA或ECDHE-ECDSA)交换密钥。检查TLS会话中的前两个数据包

在使用Diffie-Hellman密钥交换时,如果您只有专用RSA密钥,则无法解密TLS通信量。相反,您需要使用SSLKEYLOG文件记录每个会话的机密,如中所述

另一种选择是使用TLS代理(如or)解密TLS流量。

谢谢您的回复。但是SSLKEYLOG文件似乎只在客户端工作,而客户端是由客户端生成的?这里有没有一种方法可以在服务器端生成SSLKEYLOGFILE文件来解密传递给https服务器的每个包?@Tony:SSLKEYLOGFILE在服务器端的支持仍然很少,但情况正在发生变化。OpenSSL 1.1.1包括对SSLKEYLOGFILE的支持。另外,请参见上的SE线程。但是,更常见的解决方案是使用外部TLS终止代理来执行解密。然后,您将能够捕获/检查TLS代理和web服务器之间的明文HTTP。