Hi all, I'm using Wireshark 1.12.3, I can decode https traffic before (a few weeks ago) but now I cannot anymore. This is debug log file : debug.txt
I tried to search google and this site, I find some stuffs but they didn't work, some topic said:
the full SSL handshake needs to be present in the trace so that the proper keys can be extracted. A reused SSL session (with a short handshake) does not provide the keying material and can therefor only be decrypted when the original full handshake is also present in the tracefile. --> how to check ?
Then, as Jaap mentioned, when a DH cipher is used, the keying material is exchanged using the Diffie Hellman protocol which uses dynamically created keypairs instead of the server's public and private key. Therefor Wireshark is not able to decrypt these sessions. --> how to check ?
My webserver : Centos 6.4 64 bit. I tried to capture by wireshark on Windows client or tcpdump on server and many way but it still not works. Please let me know if you need more information.
asked 09 Feb '15, 19:48
edited 09 Feb '15, 20:01
From your SSL debug log:
So, your session is using a DH cipher. You can see that for yourself when you look at the ServerHello message and then look at the cipher that was chosen. You can also determine this by seeing a "ServerKeyExchange" in the SSL session setup, you won't see a ServerKeyExchange in a RSA key negotiation.
If you want to know if your session is using a full SSL handshake, check whether there is a "Certificate" and "ClientKeyExchange" handshake message in the SSL session that you are looking at. If not, it's using a cached session. You can then check the SSL Session ID in the ServerHello message to see which session it was and look for other sessions in the tracefile with the same session ID. If one of these (the first one) does have a "Certificate" and "ClientKeyExchange" handshake message, then wireshark is able to decrypt all sessions with this session ID, if not, you're out of luck as the full SSL handshake was not captured.
answered 10 Feb '15, 00:12