I'm attempting to analyze a TLS capture containing numerous TCP sessions. It seems that I do have the correct certificate configured, considering that Wireshark is successfully decrypting at least some sessions not containing TLS session ticket replacements ("TLSv1: New Session Ticket, Change Cipher Spec, Finished"). I haven't yet figured out how to follow a TLS session containing a session ticket replacement. I've tried Wireshark v1.10.6 (Linux) and v1.12.1 (Linux and Windows 7). I have the my pem configured under Edit -> Preferences -> Protocols -> SSL -> RSA keys list. I've used editcap to remove duplicate packets. I've tried using a custom compiled version containing every option that might be relevant. Bug 5963 indicates that this capability is at least present in Wireshark 1.6.x for Windows 7. Is this capability not in Wireshark v1.10.6 or v1.12.1 for Linux? If so, how do I enable this feature? If not, are there other tools that are (ssldump doesn't seem to have that ability)? Thank you in advance for any help any of you can provide, Andrew asked 27 Oct '14, 20:07  Andrew Immerman edited 27 Oct '14, 20:41 |
One Answer:
I did a brief test with 1.12.1 on Win7, with the capture file attached to bug 5963. While using the file tls_session_ticket_enabled.pcap with the included keying material, I can see in the SSL debug file, that Wireshark is able to decrypt the session. Using "Follow SSL Stream" on TCP stream 4, which is using a session ticket, shows the decrypted data. So, decrypting the data works, but there seems to be a problem to view the decrypted data as HTTP in the GUI. Whether that's a bug or not: I don't know. Please update the bug with your findings and possibly a link to your question. Output of "Follow SSL Stream" Regards answered 28 Oct ‘14, 02:40  Kurt Knochner ♦ |
