RE: How to decrypt a Wireshark capture of an MQTTS connect from nRF9160 to AWS

Burt — Mon, 03 Feb 2025 14:48:31 GMT

Thanks, but no, I don't believe so; the server is the AWS IoT broker.

RE: How to decrypt a Wireshark capture of an MQTTS connect from nRF9160 to AWS

AlanIoT — Mon, 03 Feb 2025 11:07:42 GMT

I'd also recommend encrypting your Data via PSK so it can be decrypted directly in wireshark using the method Achim describes. Is this an option?

RE: How to decrypt a Wireshark capture of an MQTTS connect from nRF9160 to AWS

Achim Kraus — Sat, 01 Feb 2025 07:08:43 GMT

To see the decrypted messages depends on the selected cipher suite.

If a PSK without ??DHE cipher suite is used, it's quite easy to add the secret to the "settings->protocols->TLS" in the field "Pre-Shared Key". But your capture shows certificates, so that will not apply.

With certificates usually ??DHE (Diffie–Hellman Ephemeral Key Exchange) is used, so decryption only works, if one of the sides is able to export the "Pre-Master-Secret". I don't know, if AWS endpoints provide that data. Nor, if the device is able to provide that. (I run my own CoAP/DTLS 1.2 CID endpoints, and for such tests I'm usually switch to PSK.)

(An not too easy alternative would be to run a own cloud vm with an TLS-TCP-TLS-forward. That will come with it's own certificates and the device must redirect the connection to that and update the trust store as well. Then you may be able to do "the man in the middle attack" (that's only possible, because you add the trust to that "man in the middle").)