How to import RSA private key through pcap?

[junhui]

i'm going to use node_pcap analysis http traffic which include https, i know something like wireshark have way to import the RSA key, is there any way i can use node_pcap+libpcap to do the samething?

[jmaxxz]

No, you are either going to have to do your own decryption. Or use a tool like ssldump to do the decryption first, though this will not result in a file usable by node_pcap.

[mranney]

If you want to contribute an implementation of decryption, I think that'd be great. :)

[jmaxxz]

^this

[junhui]

will try to see what i can do

[Domiii]

I have also looked into this, and unless there is someone who is already familiar with (or has a lot of time for learning) the basics of SSL, this is a rather daunting task.

For starters, Node's own ssl and tls modules both rely on openssl and these SecureContext native bindings.

SSL programming with openssl is explained here. On the client side, it boils down to a connection being managed by openssl itself (established through SSL_connect):

Call SSL_connect() (in the client) or SSL_accept() (in the server) to perform the SSL handshake. Certificate verification is performed during the handshake. SSL_get_verify_result() cannot obtain the result before the verification process.

Not sure, if one can easily detach the transport from the security layer. Maybe piping from pcap to openssl would make things easier. Also note that whatever the mechanism, decryption must be handled before filtering.