Chrome and Firefox use the same TLS codebase and have a preference for more secure cipher suites. In this case they are probably negotiating a suite that doesn't allow decryption with just the server key.
> On 17 Mar 2014, at 22:13, Robin Wood <ro...@digininja.org> wrote: > > I'm trying to look at decrypting HTTPS/SSL traffic. I've created a > server using openssl: > > openssl s_server -www -cipher AES256-SHA -key server.pem -cert > server.crt -accept 443 > > and connect to it using > > echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect localhost:443 > > I'm then sniffing the traffic using tshark > > tshark -o "ssl.desegment_ssl_records: TRUE" -o > "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: > 127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file: > ./wireshark-log" -i lo -R "tcp.port == 443" -2 > > This has the same server.pem file as the server so it should be able > to decrypt things without any problems. > > Watching the wireshark-log file this works fine and I get cleartext in the > log. > > Same if I connect through curl or wget. > > If I then try through either Firefox or Chrome I get a load of output > in the log but no decrypted data. What would cause this? > > If I use Apache to run the server rather than openssl I don't get any > decryption regardless of what client I get. > > What am I doing wrong? > > I'm getting most of my info from Mark's article from 2010, I've had to > tweak a few bits but there is a difference between what I'm getting > and what Mark got. > > http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html > > Robin > _______________________________________________ > Pauldotcom mailing list > Pauldotcom@mail.securityweekly.com > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom@mail.securityweekly.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
