User Guide

TLS Decryption

3 min read

The Decrypt SSL Traffic profile setting allows users to decrypt SSL traffic within a capture file. SSL traffic can only be decrypted if the user has access either to the appropriate RSA key, or a client keylog file.

Note that RSA keys must be imported and shared by admin users. See the section on RSA key management in the Admin Guide for more information on adding and managing keys.

Client Keylog File

The client keylog data can be pasted into CloudShark and used for SSL decryption. Additionally the upload API method supports uploading a keylog file when a capture file is uploaded.

Web browsers like Firefox and Chrome are able to save keys used when visiting websites. Here is how to generate the SSL keylog file using Firefox. The openssl command-line client is also able to generate a keylog.

RSA Server Keys

An RSA key can be dragged from the box of Available Keys to the Active RSA Keys box. Multiple unique decryption rules can be defined for each capture. Once a valid decryption rule has been configured and applied, the SSL traffic for that rule will be automatically decrypted and visible in the decode window.

Following SSL streams

Once an SSL session has been decrypted, CloudShark provides a tool for following SSL streams. This tool can be used to provide the familiar follow stream view for decrypted SSL streams. The Follow SSL analysis tool menu option will be active for captures that have SSL decryption rules applied.

Potential Problems

Sometimes SSL decryption may now work as expected. Here are some reasons why SSL traffic may not be decrypted.

Diffie-Hellman

You can not use decryption if a Diffie-Hellman based cipher is in use. Look at the SSL exchange and look for the Server Hello message. This will normally report the chosen cipher. If it contains a DH, then Diffie-Hellman is in use and the decryption using the SSL server key will not work. For example view the following capture using the filter expression ssl.handshake.type == 2.

SSL With Diffie-Hellman

One potential work around is to reconfigure your server to exclude Diffie-Hellman based Ciphers.

SSL Session Reuse

You can not use decryption if your SSL session was reused and the full SSL handshake is not in your capture. If you are having trouble with SSL decryption and suspect SSL Session Reuse try using the following filter expression:

!ssl.handshake.session_ticket || ssl.handshake.session_id_length == 0

If any packets match this filter expression it is likely that the SSL was used during this capture and the full handshake may not have been captured.

Here are a couple of example captures to show the difference between the full SSL handshake, and one where an SSL session was reused.

SSL Capture With Full Handshake

SSL Capture With Session Reuse

Here is also an article which describes SSL session reuse and includes a diagram to explain the handshake in both cases.

Possible work arounds to avoid SSL session reuse include configuring your server to disable SSL session reuse or clearing any SSL caches created by the client before capturing SSL traffic.