This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL decryption works only on the first client request. Remaining packets are not decrypted

0

Hi all,

I am trying to decrypt an SSL session which is running on my test environment and I am partially successful in that. The problem is that every time to successfully decrypt an SSL capture, I need to restart my browser and the first transaction gets decrypted properly. The subsequent requests from client system were not decrypted as expected.

I dont know the issue is with my current SSL server setup or with the wireshark setup. I have uploaded my capture file at link.

The RSA private key is given below:

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC7FQvv8ZbSAokS8PNXLsFcls9F6rlhlJ5YeQuh81LdMyx/9ui5
zb1mSNaenUed4UE2lo83v4P3EzMi93B9faVSoWNP1GtRUuH7QwZiKr3Cxihnuvcg
ZGcdJm5shwiGAqzXLxQ9TLcNg45dgPYlCjVBeI+gSsA1+w84fAJF4gwqTwIDAQAB
AoGATBHKwM3jHZGaWvFOgOyqAxPvQ+alamAb4q2VZUyjLP5Z4c5r4uEdWjHT0rrx
G+kzsxaVNX3SEuzjphwmyWAFkFiRYAREhaRDICnAAlSt3IKwRNIJPkx2iDTZeA6H
/Pr8hsAdafvU8f6EWEs9ji27BZBCLxcC0+Y3ezPN2mPTfcECQQD13DyCizH8SMv4
Fl5i/OxXmEtC/X9wYGY64xDxenCegHifs+QcL1Sh5JPSSwLURRruxuQBcj1fxyNg
eJppZ8tVAkEAwsw8/0p4QCZSmT/6+VJ20grtpH33vkJO54go3FZBBAPGHUkKog2z
AeGEq+wjaKZqhbaasJPhT1FKkPXSCSXHEwJBAKwK5TzkcqH7vt9np7zVB/1z0Jac
FSVqD599bUnNSClh9QasNx+R70MqVFZ/rwcjJGmaO8rXSiNPkm3bdxHzU9ECQDrj
Sz1R4fBipW22rcRZbZopu5WSjyZxHTFZNCEH4je4fFe2EQTUZ10WM+lVRY8JYAJ0
JWdkDSTRSl1wMsKZLQkCQFSsy2/AWZfyj53lcd7tRrEq1BSUUbSzGParBJ2x1ZOR
O5oUfZiCfug69oiQ1+qKvp8ldPZCPgnV1QeRFx/acLQ=
-----END RSA PRIVATE KEY-----

In the attached capture file, the packet at 15 gets decrypted properly with the given key. All other packets will not get decrypted. This happens when I reuse the same browser session to request the server. Any suggestion to dig into this issue is appreciated.

Regards, Ashbi

asked 22 Oct '12, 07:40

ashbi's gravatar image

ashbi
1113
accept rate: 0%

edited 22 Oct '12, 07:46


One Answer:

1

A quick look at your trace shows that your client and server both support "TLS session tickets" and are indeed using them to reuse SSL sessions. Wireshark (AFAIK) does not yet support the use of "TLS session tickets" in regard to SSL decryption (the SSL keying material is not internally kept between sessions).

Could you file an enhancement report on https://bugs.wireshark.org and add the tracefile as well as the private key to the report?

In the mean time, you can disable the use of "TLS session tickets" to make sure you can decrypt the traffic.

answered 22 Oct '12, 08:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi, Thanks for the reply. I will configure the server to reuse the session and check whether the issue can be solved.

(22 Oct '12, 09:37) ashbi

What you need to do, I believe, is to configure the server to NOT reuse sessions, so that Wireshark can capture the full key exchange process before the start of each session.

(23 Oct '12, 01:33) inetdog

It's no problem for the server to re-use sessions, as long as it does not use "session tickets". But indeed, if you want to be able to decrypt each and every session independently without hassle, you might indeed disable session reuse altogether.

(23 Oct '12, 01:47) SYN-bit ♦♦