Decrypt TLS1.2 Websocket traffic
We want to decrypt websocket traffic to analyse the used protocol. The traffic is between a pc-system (windows) and an embedded system. All certificates are available with private keys and everything is set up in a laboratory environment.
When I capture the traffic with Wireshark I can see the key exchange and the ciphersuite which is used. I my case is it TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
.
After searching the Internet, I realized that traffic with this cipher suite can only be decrypted using SSLKEYLOGFILE in Wireshark.
As a first idea, I wanted to change the cipher suite in my Windows system and use a cipher suite that is less secure and can be decrypted using RSA keys. This didn't work and I haven't found a way to do this.
Can anyone tell me how to set the Client Cipher Suite in Windows? Everything I found related to the IIS.
Another idea was to use sslsplit to write an SSLKEYLOG file to use in Wireshark. I can connect using sslsplit. The SSLKEYLOG file is created but remains empty. I used the following command:
sslsplit -D -M sslkey.log -R tls12 -l conn.log -X capture.pcap -P -k ca-key.pem -c ca.crt ssl 192.168.40.130 8443 10.10.11.170 8443
Does anyone have an idea why this is not working?