This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypt SSL

0

I am attempting to decrypt SSL and have the pem file included but I am not able to see the decrypted application data.

dissect_ssl enter frame #15 (first time)
  conversation = 0000000007C268B8, ssl_session = 0000000007C26EC8
  record: offset = 0, reported_length_remaining = 458
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 453, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 34543 found 0000000000000000
association_find: TCP port 443 found 0000000006CF10C0

asked 09 Sep '13, 09:31

davidmoody's gravatar image

davidmoody
11112
accept rate: 0%

edited 09 Sep '13, 09:33

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

There are three things you need to make sure of to make decryption work in Wireshark:

  • Provide the proper private key (check the ssl-debug log to see if it actually loaded OK)
  • Make sure the whole SSL handshake for this SSL session is in the tracefile (make sure you see the "Certificate" message from the server)
  • Check whether you're not using a DiffieHellman cipher (the cipher in the ServerHello message should not contain DHE or DH)

If that does not get you started, have a look at my Sharkfest presentation on troubleshooting SSL

answered 09 Sep '13, 22:00

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%