This is our old Q&A Site. Please post any new questions and answers at

In almost every blog I read about ssl decryption with Wireshark, I found the following limitation:

Wireshark wont be able to decrypt ssl traffic if Diffie-Hellman Ephemeral (DHE) or RSA Ephemeral is negotiated between the two communication parties.

It seems that even ssl Wireshark's wiki supports that. I'm curious and wolud like to know why Wireshark has such that limitation?

Thank you!

asked 21 Oct '14, 03:27

flora's gravatar image

accept rate: 100%

edited 10 Nov '14, 10:05

I'm curious and wolud like to know why Wireshark has such that limitation?

That's not a 'limititation' of Wireshark (in the sense, the developers are not able to implement it), it's the way how the Diffie Hellman algorithm works.

If you are using a SSL/TLS handshake without DH, the session key gets encrypted with the public (RSA) key of the server (more or less!!). So, if you have access to the private key of the server, you will be able to decrypt the session key and thus decrypt the whole SSL/TLS session.

With Diffie Hellman, the session key will never be transmitted (it's being calculated on both sides), so you won't be able to intercept it and use it for decryption of the session. That's what Diffie Hellman was developped for. Securely establishing a base crypto key that both parties can use, but nobody else. I recommend the book "Applied Cryptography" if you are interested in all the details.

Having said that, there is no technical way to decrypt an SSL/TLS session where DH was used, unless one of the parties (client or server) discloses the session key (not the DH key!!).


permanent link

answered 21 Oct '14, 04:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 21 Oct '14, 06:45

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 Oct '14, 03:27

question was seen: 10,026 times

last updated: 10 Nov '14, 10:05

p​o​w​e​r​e​d by O​S​Q​A