This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decrypt works on my station but not those captured elsewhere on others

0

I've successfully set up ssl decrypt to work on my systems sessions with an ssl server by getting the private key. Works!

I have traces of other stations traffic that I need to analyze. I can't get those other stations traffic to decode. What's the unknown I'm missing?

Thanks!

asked 12 Dec '13, 11:56

packetman007's gravatar image

packetman007
11223
accept rate: 0%

One Answer:

1

For SSL decryption to work, there are three main conditions that need to be fulfilled:

  1. You must have the private key matching the certificate used in the session. And it needs to be in the proper format for wireshark to read. As I assume the other stations go to the same server, this condition is fulfilled.
  2. You need to have the full SSL handshake in the tracefile (so including the Certificate and the ClientKeyExchange messages). When you see ServerHello immediately followed by a ChangeCipherspec, then you have a reused SSL session and you can not decrypt it in Wireshark (unless the full handhshake is in the same tracefile).
  3. The client and server must have chosen a non-diffie-hellman key exchange. When DH is used, the master secret is encrypted with dynamically setup keys instead of the public key from the certificate and can therefor not be decrypted by wireshark. And without the cleartext master secret for the session, wireshark can not decrypt the session. A DH key exchange can be recognized by an extra "ServerKeyExchange" message in the SSL handshake.

What do your SSL handshakes look like?

answered 13 Dec '13, 03:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%