I'm pretty sure i've finally configured ssl to correctly decrypt my ssl packets, from a capture of and ssl session on and IIS 7.5 server. I say this, because when i use the filter 'ssl' in wireshark, i occasionally see a green http packet, and when inspecting the packet, i can see the ssl section in the detail window, followed by the decrypted http packet information. However, there are only a very few of these readable packets. I read another post where the problem cause was the use of 'tls session tickets', and the poster was told to file an enhancement request. In the meantime, the work around was to 'disable the use of tls session tickets'. a) how can i tell if I am having the same problem? What would i look for in the ssl debug log? b) if it is the same problem, does wireshark now support decryption of sessions using tls session tickets? c) if wireshark does not, does anyone know how to disable the use of tls session tickets on iis 7.5? thanks in advance asked 18 Dec '13, 23:51  dmc_lat47 |
One Answer:
Please use the following display filter: If you see some frames, it's a good sign for session tickets.
AFIAK: No, but there is an open Enhancement Bug for this: Even if it would be able to work with session tickets, there is a structural problem. If you just captured traffic with session tickets, there is no way for Wireshark to figure out the key that has been used. So, even if Wireshark will support session tickets eventually, you will have to capture the first handshake to be able to decrypt the session.
I guess the people at a Microsoft forum are the better crowd to ask ;-)) Regards answered 19 Dec '13, 05:30  Kurt Knochner ♦ |
thanks for your help!
so, i used the filter... ssl.handshake.session_ticket
not a packet came up! Now i am at a loss as to why only some packets can be decrypted.
Anyone have any ideas?
thanks again
without the debug log? No.