This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

What is the reason why Wireshark was able to decrypt only 60% of SSL (https) packets to only one https-server. The server certificate has been provided in .p12 format with a password one day after pulled the traces from the network.

What can we do to decrypt the remaining 40%?

Is it right that Wireshark can't save the decrypted packets to a different file by means wireshark can decrypt on the fly (while capturing or reading a tracefile) only?

thx for hints, Steffen

asked 25 Feb '14, 05:03

Discovery's gravatar image

Discovery
16336
accept rate: 0%


why Wireshark was able to decrypt only 60% of SSL

maybe the other 40% of connections were using a cipher with Diffier Hellman (DH or DHE - see SSL/TLS handshake). If that is the case, you cannot decrypt those connections with the server private key only.

What can we do to decrypt the remaining 40%?

If Diffie Hellmann is the reason:

  • Configure the clients and/or the server to not use Diffie Hellmann. However, that's a dumb idea, as DH is a security plus.
  • Let your clients (browser) dump the sessions keys and use those to decrypt the session (see links below)

Decrypt SSL with Diffie Hellmann:

Is it right that Wireshark can't save the decrypted packets to a different file by means wireshark can decrypt on the fly

Yes and no. It depends on the Wireshark version you are using and the functionality you need. See the answer to a similar question.

http://ask.wireshark.org/questions/23614/save-a-capture-after-decryption

Regards
Kurt

permanent link

answered 25 Feb '14, 09:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

many thx to your large answer.

But there is no DH used in the SSL handshakes.

Steffen

(25 Feb '14, 10:13) Discovery

so, what do you see in the SSL Decryption debug log?

(25 Feb '14, 10:17) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×62
×56
×8

question asked: 25 Feb '14, 05:03

question was seen: 2,630 times

last updated: 25 Feb '14, 10:17

p​o​w​e​r​e​d by O​S​Q​A