Networking 如何解密wireshark pcapng日志文件中的TLS/SSL包内容?
我手头有PEM密钥和RSA密钥,当我试图分析登录到我的网络节点上的wireshark pcapng文件时,tls加密的tls/ssl包内容无法解密,如下所示:Networking 如何解密wireshark pcapng日志文件中的TLS/SSL包内容?,networking,certificate,ssl-certificate,wireshark,wireshark-dissector,Networking,Certificate,Ssl Certificate,Wireshark,Wireshark Dissector,我手头有PEM密钥和RSA密钥,当我试图分析登录到我的网络节点上的wireshark pcapng文件时,tls加密的tls/ssl包内容无法解密,如下所示: Certificate: Data: Version: 3 (0x2) Serial Number: 17:.......................:5d Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washing
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:.......................:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=changeme changeme Company, OU=IT, CN=changeme Corporate Issuing CA 01
Validity
Not Before: Sep 9 09:27:27 2019 GMT
Not After : Sep 8 09:27:27 2020 GMT
Subject: C=US, ST=DC, L=ST, O=changeme changeme Company, OU=IT, CN=cmeptgapp.changeme.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00..........................................d4:
..............
eb..........................................af:
44:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:58:...................3C:88
X509v3 Authority Key Identifier:
keyid:AB:1......................................:21
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.changeme.com/pki/tdtd
Authority Information Access:
CA Issuers - URI:http://crl.changeme.com/pki/dtfh.crt
OCSP - URI:http://whoknows.changeme.com/whoknows
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3............d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
1............10:
.
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.45807.509.1.2
CPS: http://nobody.changeme.com/policies/nobodykonows.html
X509v3 Subject Alternative Name:
DNS:cmeptgapp.changeme.net
Signature Algorithm: sha256WithRSAEncryption
05................................................:e4:
......................................................................
...................................................:7b
使用openssl(x509)打印的pem密钥信息如下所示:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:.......................:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=changeme changeme Company, OU=IT, CN=changeme Corporate Issuing CA 01
Validity
Not Before: Sep 9 09:27:27 2019 GMT
Not After : Sep 8 09:27:27 2020 GMT
Subject: C=US, ST=DC, L=ST, O=changeme changeme Company, OU=IT, CN=cmeptgapp.changeme.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00..........................................d4:
..............
eb..........................................af:
44:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:58:...................3C:88
X509v3 Authority Key Identifier:
keyid:AB:1......................................:21
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.changeme.com/pki/tdtd
Authority Information Access:
CA Issuers - URI:http://crl.changeme.com/pki/dtfh.crt
OCSP - URI:http://whoknows.changeme.com/whoknows
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3............d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
1............10:
.
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.45807.509.1.2
CPS: http://nobody.changeme.com/policies/nobodykonows.html
X509v3 Subject Alternative Name:
DNS:cmeptgapp.changeme.net
Signature Algorithm: sha256WithRSAEncryption
05................................................:e4:
......................................................................
...................................................:7b
我已尝试通过以下方式解密包内容:
1。编辑wireshark/preference/protocol/ssl/RSA密钥
2.editcap命令
但不幸的是没有人工作,可能是我用错了命令。如何解决这个问题?客户端和服务器可能使用完美的前向保密性(如ECDH、DHE-RSA、ECDHE-RSA或ECDHE-ECDSA)交换密钥。检查TLS会话中的前两个数据包 在使用Diffie-Hellman密钥交换时,如果您只有专用RSA密钥,则无法解密TLS通信量。相反,您需要使用SSLKEYLOG文件记录每个会话的机密,如中所述
另一种选择是使用TLS代理(如or)解密TLS流量。谢谢您的回复。但是SSLKEYLOG文件似乎只在客户端工作,而客户端是由客户端生成的?这里有没有一种方法可以在服务器端生成SSLKEYLOGFILE文件来解密传递给https服务器的每个包?@Tony:SSLKEYLOGFILE在服务器端的支持仍然很少,但情况正在发生变化。OpenSSL 1.1.1包括对SSLKEYLOGFILE的支持。另外,请参见上的SE线程。但是,更常见的解决方案是使用外部TLS终止代理来执行解密。然后,您将能够捕获/检查TLS代理和web服务器之间的明文HTTP。