Hi all, I am trying to decrypt an SSL session which is running on my test environment and I am partially successful in that. The problem is that every time to successfully decrypt an SSL capture, I need to restart my browser and the first transaction gets decrypted properly. The subsequent requests from client system were not decrypted as expected. I dont know the issue is with my current SSL server setup or with the wireshark setup. I have uploaded my capture file at link. The RSA private key is given below: In the attached capture file, the packet at 15 gets decrypted properly with the given key. All other packets will not get decrypted. This happens when I reuse the same browser session to request the server. Any suggestion to dig into this issue is appreciated. Regards, Ashbi asked 22 Oct '12, 07:40  ashbi edited 22 Oct '12, 07:46 |
One Answer:
A quick look at your trace shows that your client and server both support "TLS session tickets" and are indeed using them to reuse SSL sessions. Wireshark (AFAIK) does not yet support the use of "TLS session tickets" in regard to SSL decryption (the SSL keying material is not internally kept between sessions). Could you file an enhancement report on https://bugs.wireshark.org and add the tracefile as well as the private key to the report? In the mean time, you can disable the use of "TLS session tickets" to make sure you can decrypt the traffic. answered 22 Oct '12, 08:29  SYN-bit ♦♦ |
Hi, Thanks for the reply. I will configure the server to reuse the session and check whether the issue can be solved.
What you need to do, I believe, is to configure the server to NOT reuse sessions, so that Wireshark can capture the full key exchange process before the start of each session.
It's no problem for the server to re-use sessions, as long as it does not use "session tickets". But indeed, if you want to be able to decrypt each and every session independently without hassle, you might indeed disable session reuse altogether.