How to Decrypt SSL and TLS Traffic From Citrix Netscaler With Wireshark

What


In Wireshark, the SSL dissector is fully functional and supports advanced features such as decryption of SSL, but only if the encryption key is provided.


This is useful when troubleshooting Citrix products that use SSL or TLS encryption, in my example to troubleshoot issues with StoreFront. Make sure to understand what SSL certificates you need.


As for troubleshooting you might not want to provide others your priv_key of your certificate, there are 2 methods (one for handing out to 3rd party/support and one for your own – last one will be explained here).


Trace


First of all you need to make sure you have a trace which is readable in Wireshark, Citrix has an article about how to do this (CTX120941).




Certificate


Wireshark can decrypt SSL traffic provided that you have the private key. The private key has to be in a decrypted PKCS#8 PEM (RSA) format. If it is in binary, then it is likely to be in a DER format, which cannot be used in Wireshark.

You can use OpenSSL to convert the key. For example, converting a PKCS#8 DER key to a decrypted PKCS#8 PEM format (RSA) key, enter the following command:

1
openssl pkcs8 -nocrypt -in der.key -informat DER -out pem.key -outformat PEM
  • der.key is the file name and path to the DER key file
  • pem.key is the file name and path to the PEM key file output

Decrypted PKCS#8 PEM format (RSA) key must be similar to the following screen shot:



Wireshark


Start Wireshark and open the network capture (encrypted SSL should be similar to the following screen shot):



From the menu, go to Edit > Preferences:



Expand Protocols in the Preferences window:



Scroll down and select SSL:



Type the following information in the RSA keys list field, in the format:

1
<ip>,<port>,<protocol>,<key_file_name>

Note: IP address of the server/appliance with the private key usually 443 for SSL/TLS usually HTTP <key_file_name> is the location + file name of the private key


There are no spaces between the commas. Also, using semicolons to separate the entries, a list of private RSA keys can be entered and used for decryption if you need to decrypt more than 1 key:

1
<ip>,<port>,<protocol>,<key_file_name>;<ip>,<port>,<protocol>,<key_file_name>;<ip>,<port>,<protocol>,<key_file_name>

Now type a location and file name for a debug file in the SSL debug file field. Decrypt the SSL traffic (decrypted SSL should be similar to the following screen shot):



For more information about OpenSSL and Wireshark:


Comments