Hi, Due to security restrictions I can only get a private key on a certain pc. I saved the trace and pre-shared key so I could look at it on my laptop however, when I configure the SSL preferences to use this key I can see in the SSL debug file that the traffic is being decrypted but in wireshark itself it is still showing the encrypted traffic. Most likely I'm doing something wrong but not sure what. I configured this under Protocol Preferences | SSL: SSL Debug file: c:\wireshark-ssl-debug.log (Pre)-Master-Secret log filename: c:\session-key.txt I left all the other settings default. Using build 44520 (1.8.2). Has anyone successfully used this option? Many thanks, Edward asked 04 Sep '12, 15:51  Edward |
One Answer:
Yes, I have used this option repeatedly. There is however a bug. When you point to the correct key file and click OK, focus comes back to the main window and not to the SSL protocol preferences. Since that window is behind the main window, you don't notice that you need to click on OK in the SSL protocol preferences to make the new settings active. If it is still not working for you, is your file session-key.txt in the following format: ... and is there an entry for each SSL SessionID found in your trace (look at the ServerHello messages)? If that does not help you, can you post the capture file (you can leave out the application data) on www.cloudshark.org and post the contents of the session-key.txt file here for further analysis? answered 04 Sep '12, 23:18  SYN-bit ♦♦ edited 05 Sep '12, 01:54  grahamb ♦ |
Hi,
The key etc is definitely 'accepted' as when I look in the debug file I can see the decrypted traffic. Are you running the same build or an older one?
Thanks, Edward
I recently used version 1.8.2 (official release) at a customer and could use the SSL session key log to decrypt traffic. On my own system I use 1.9.0 SVN 44562 at the moment.
I'm just wondering, what protocol is inside the SSL traffic and is it using a standard port? Do you see the "Finished" handshake messages or does the SSL negotiation end with "Encrypted Handshake"?
Hi,
The protocol being used is http and yeah, it is using a different port. The ssl negotiation finishes with a 'encrypted handshake message' and the packet after that is from the client with Application Data which wireshark sees as TLSv1.
Thanks, Edward
I am seeing the same problem as Edward. I did the following from the command prompt:
set SSLKEYLOGFILE=c:\sslKeyLogOWA.txt
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
then I accessed the HTTPS website from the opened browser to get the session keys and pointed Wireshark's SSL protocol to the created sslKeyLogOWA.txt file.
As I continue to browse the site in Chrome, I see the HTTPS traffic pass through, but Following SSL Stream returns an empty window.
I can't seem to find ServerHello mentioned by SYN-bit, is it in TCP section of the header?
just looked at the sslKeyLogOWA.txt. I have CLIENT_RANDOM field instead of Master-Key. Is this why I am not able to decrypt the traffic?