This is our old Q&A Site. Please post any new questions and answers at

I know its possibly to decrypt an SSL session, but is it possible to decrypt an SSL session post capture?

I have a capture that was done with another product that they have no idea if or how to configure it to decrypt the SSL session. And putting wireshark on the network so far isn't happening, but I do have the SSL keys so the obvious question that I came up with, can I do it on that saved capture file?


asked 30 Apr '13, 11:43

modeerf's gravatar image

accept rate: 0%

Yes that is possible. In fact, I mostly capture on other devices and do the decryption in Wireshark on my laptop later on.

Keep in mind that there are 3 basic conditions that must be met to succesfully decrypt SSL traffic:

  • You have to have the server private key that corresponds to the certificate in the captures SSL session. You seem to have those.
  • For each SSL session in the capture file that you would like to decrypt, you need to have the full SSL handshake (including the ClientKeyExchange handshake message). Especially if you have no control over the client nor server during capturing, they often reuse sessions that had their handshake before you started capturing.
  • The chosen cipher must not use a DiffieHellman key exchange (DH in the cipher name), as wireshark is unable to extract the MasterSecret (with the session key used for the encryption) from the capture when DH is used.
permanent link

answered 30 Apr '13, 13:08

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Apr '13, 11:43

question was seen: 3,417 times

last updated: 30 Apr '13, 13:08

p​o​w​e​r​e​d by O​S​Q​A