This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decrypt works on my station but not those captured elsewhere on others

0

I've successfully set up ssl decrypt to work on my systems sessions with an ssl server by getting the private key. Works!

I have traces of other stations traffic that I need to analyze. I can't get those other stations traffic to decode. What's the unknown I'm missing?

Thanks!

asked 12 Dec '13, 11:56

packetman007's gravatar image

packetman007
11223
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

For SSL decryption to work, there are three main conditions that need to be fulfilled:

  1. You must have the private key matching the certificate used in the session. And it needs to be in the proper format for wireshark to read. As I assume the other stations go to the same server, this condition is fulfilled.
  2. You need to have the full SSL handshake in the tracefile (so including the Certificate and the ClientKeyExchange messages). When you see ServerHello immediately followed by a ChangeCipherspec, then you have a reused SSL session and you can not decrypt it in Wireshark (unless the full handhshake is in the same tracefile).
  3. The client and server must have chosen a non-diffie-hellman key exchange. When DH is used, the master secret is encrypted with dynamically setup keys instead of the public key from the certificate and can therefor not be decrypted by wireshark. And without the cleartext master secret for the session, wireshark can not decrypt the session. A DH key exchange can be recognized by an extra "ServerKeyExchange" message in the SSL handshake.

What do your SSL handshakes look like?

permanent link

answered 13 Dec '13, 03:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×319

question asked: 12 Dec '13, 11:56

question was seen: 1,323 times

last updated: 13 Dec '13, 03:11

Related questions

Where did the Google SSL video go?

Decrypt SSL Traffic destined for Squid Proxy Server

SSL capture

SSL decryption only works in promiscuous mode?

SSL Descrypt _without_ specifying a protocol?

How do you decrypt The Encrypted Handshakes and Application Data.

SSL Dissector - TLSv1 versus SSL

SSL "key exchange 0 different from KEX_RSA" but using RSA

Wireshark SSL and TLSv1 protocol

Can't decrypt ssl in capture from windump

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A