概述
本文针对使用ECDHE(_RSA)秘钥交换算法的ssl/tls。背景知识在此不详述,
背景知识可参考:SSL/TLS 原理详解 TLS协议分析 与 现代加密通信协议设计 App安全之网络传输安全
更深入的资料请查看:深入研究SSL
以下是ecdhe的描述,可以看出对传输数据的加解密是使用临时生成的秘钥(对称秘钥)进行的:
ECDHE - Elliptic Curve Diffie-Hellman with Ephemeral keys. This is the key exchange method. Diffie-Hellman key exchanges which use ephemeral (generated per session) keys provide forward secrecy, meaning that the session cannot be decrypted after the fact, even if the server's private key is known. Elliptic curve cryptography provides equivalent strength to traditional public-key cryptography while requiring smaller key sizes, which can improve performance. Additionally, they serve as a hedge bet against a break in RSA.
在wireshark针对不同的秘钥交换算法采用不同的解密方式,针对ECDHE_(RSA)不能配置服务器的私钥文件来解密:
1.解密https数据包(浏览器)
具体参考: 用Wireshark轻松解密TLS浏览器流量
2.解密非https数据包
可从wireshark的wiki资料(https://wiki.wireshark.org/SSL)中解决方法。
思路:在通讯方(客户端或服务端)加上类似aop的插件jar(使用-javaagent 机制),来获取每次请求的临时秘钥,打印成wireshark可识别格式的日志,wireshark识别获取临时秘钥,解密数据。
Using the (Pre)-Master-Secret
Decoding an SSL connection requires either knowledge of the (asymmetric) secret server key and a handshake that does not use DH or the (base of) the symmetric keys used to run the actual encryption. Support was added to Wireshark with SVN revision 37401 to do this, so it became available with Wireshark 1.6. For instructions look at this question on ask.wireshark.org
Since SVN revision 36876, it is also possible to decrypt traffic when you do not possess the server key but have access to the pre-master secret. For more details, see this security.stackexchange.com answer or this step-by-step walkthrough. That answer also contains some suggestions on finding out why SSL/TLS sessions do not get decrypted. In short, it should be possible to log the pre-master secret to a file with a current version of Firefox, Chromium or Chrome by setting an environment variable (SSLKEYLOGFILE=</path/to/private/directory/with/logfile>).
Applications using OpenSSL could use a GDB or a LD_PRELOAD trick to extract the secrets. If you do not mind recompiling Qt4/Qt5 with a patch, then see this blog with details. For Java programs, pre-master secrets can be extracted from the SSL debug log, or output directly in the format Wireshark requires via this agent.
注意:将agent jar部署 在我的服务端监听的时候,会报出空指针异常,应下载修改空指针的版本,或手动判空。
可获取修复空指针的版本:https://sourceforge.net/p/jsslkeylog/code/HEAD/tree/
具体的操作步骤
1.解压插件,在启动应用时添加参数(我本地使用的ide是intellij idea,可在VM options上添加)
2.在wireshark中配置(Pre)-Master-Secret log filename,
点击Edit- Prefences - Protocols - SSL,右侧会出现(Pre)-Master-Secret log filename文件选择框。启动应用后,会根据 -javaagent:C:\Users\yl1212\Desktop\jSSLKeyLog.jar=C:\Users\yl1212\Desktop\sessionkey_logfile.log 生成临时秘钥文件,(Pre)-Master-Secret log filename选择这个文件。
3.解密之后,点击报文下方的“Decrypted SSL Data”选项卡,即可查看解密后的数据: