This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding tls1.2

0

I am not seeing any decoded application data.

I am running wireshark 2.4 on the web server box, I have the private key in .pem format

I have the server private key listed in the RSA keys list

I have the port specified as start_tls and the protocol as http.

The traffic comes in on https://servername:4993

Is there anything else I need to specify in the rsa keys list or ???

thanks ron

asked 09 Oct '17, 13:03

ronrrm's gravatar image

ronrrm
16113
accept rate: 0%


2 Answers:

0

The port number in the RSA keys dialog is actually ignored since Wireshark 2.2, at least for matching the private key file.

You probably run into a TLS session which uses a (EC)DHE cipher suite instead of one based on the RSA key exchange. Such sessions cannot be decrypted using the RSA private key file, look for the keylog file (SSLKEYLOGFILE) approach instead.

answered 14 Oct '17, 10:52

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

0

Presuming that the traffic is simply https on port 4993, try replacing the start_tls entry with 4993.

answered 10 Oct '17, 02:13

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Did that, same results. Tried 443, 4993, start_tls...Same results

(10 Oct '17, 15:52) ronrrm

We need to see the contents of the SSL debug log. In the SSL preferences configure a debug log file and then amend your question with the contents of the log file.

(11 Oct '17, 01:46) grahamb ♦