This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark decrypts SSL traces just partly

0

Hello,

What is the reason why Wireshark was able to decrypt only 60% of SSL (https) packets to only one https-server. The server certificate has been provided in .p12 format with a password one day after pulled the traces from the network.

What can we do to decrypt the remaining 40%?

Is it right that Wireshark can't save the decrypted packets to a different file by means wireshark can decrypt on the fly (while capturing or reading a tracefile) only?

thx for hints, Steffen

asked 25 Feb '14, 05:03

Discovery's gravatar image

Discovery
16336
accept rate: 0%


One Answer:

0

why Wireshark was able to decrypt only 60% of SSL

maybe the other 40% of connections were using a cipher with Diffier Hellman (DH or DHE - see SSL/TLS handshake). If that is the case, you cannot decrypt those connections with the server private key only.

What can we do to decrypt the remaining 40%?

If Diffie Hellmann is the reason:

  • Configure the clients and/or the server to not use Diffie Hellmann. However, that's a dumb idea, as DH is a security plus.
  • Let your clients (browser) dump the sessions keys and use those to decrypt the session (see links below)

Decrypt SSL with Diffie Hellmann:

Is it right that Wireshark can't save the decrypted packets to a different file by means wireshark can decrypt on the fly

Yes and no. It depends on the Wireshark version you are using and the functionality you need. See the answer to a similar question.

http://ask.wireshark.org/questions/23614/save-a-capture-after-decryption

Regards
Kurt

answered 25 Feb '14, 09:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

many thx to your large answer.

But there is no DH used in the SSL handshakes.

Steffen

(25 Feb '14, 10:13) Discovery

so, what do you see in the SSL Decryption debug log?

(25 Feb '14, 10:17) Kurt Knochner ♦