Problem description

SSL traffic is not being decrypted despite having a correctly defined key.

Solution

The following method verifies if you have the proper private key using OpenSSL:

a) Get the certificate from the wire

 

  • Make sure the traffic is decoded as SSL, i.e. setup the SSL analyzer for this TCP stream in Analyze >> Decode As. Now it will show the SSL details for the packets.
  • Pick the packet which contains the certificate, in this case packet 6.
  • In the packet details expand Secure Socket Layer etc until you get to the certificate itself:

  • Use the context menu (right click) and save the raw data of the certificate with Export Packet Bytes into a file, for example cert.der.
  • With openssl x509 -inform der -in cert.der -text you can have a look at the certificate, with openssl x509 -inform der -in cert.der -outform pem -out cert.crt you can convert it into a PEM format (i.e. what you mean with crt format).

b) create a known text input file

[root@vantageamd tmp]# date > input.txt

[root@vantageamd tmp]# cat input.txt

Tue Jul 6 15:49:51 EDT 2010

 

c) encrypt the known input with the cert

[root@vantageamd tmp]# openssl rsautl -encrypt -inkey cert_10.1.1.122\:443_1.der -certin -keyform der -in input.txt -out output.bin

[root@vantageamd tmp]# less output.bin

"output.bin" may be a binary file. See it anyway?


d) decrypt the encrypted input

[root@vantageamd tmp]# openssl rsautl -decrypt -inkey /usr/adlex/config/keys/newkeys/tss.wtest.pem -in output.bin -out output.txt

 

e) if the decrypt command errors out then you have the wrong key

 

f) if the command does not error compare input to output to verify a match

[root@vantageamd tmp]# cat input.txt output.txt

Tue Jul 6 15:49:51 EDT 2010

Tue Jul 6 15:49:51 EDT 2010

 

Root cause: This is usually a case where the current key is thought to be correct, but it has changed by the web admins without the DC RUM users knowing.

  • No labels