I am not seeing any decoded application data. I am running wireshark 2.4 on the web server box, I have the private key in .pem format I have the server private key listed in the RSA keys list I have the port specified as start_tls and the protocol as http. The traffic comes in on https://servername:4993 Is there anything else I need to specify in the rsa keys list or ??? thanks ron asked 09 Oct '17, 13:03  ronrrm |
2 Answers:
The port number in the RSA keys dialog is actually ignored since Wireshark 2.2, at least for matching the private key file. You probably run into a TLS session which uses a (EC)DHE cipher suite instead of one based on the RSA key exchange. Such sessions cannot be decrypted using the RSA private key file, look for the keylog file (SSLKEYLOGFILE) approach instead. answered 14 Oct '17, 10:52  Lekensteyn |
Presuming that the traffic is simply https on port 4993, try replacing the start_tls entry with 4993. answered 10 Oct '17, 02:13  grahamb ♦ |
Did that, same results. Tried 443, 4993, start_tls...Same results
We need to see the contents of the SSL debug log. In the SSL preferences configure a debug log file and then amend your question with the contents of the log file.