On Tue, May 27, 2008 at 01:38:47PM -0600, Al Aghili wrote:
>
> I've posted this once before but didn't get any answers so trying again.
Well, not quite, you did get some answers and said you would try out the
suggestions ;-)
http://www.wireshark.org/lists/wireshark-users/200803/msg00050.html
> We are trying to decrypt SSL traffic in our network but for some reason
> tshark is only able to decrypt the http headers of the request. So not
> the request body or the any of the response from the server. What could
> be going on?
Is there an "Unknown Record" frame between after the http header? I think
there is a bug in the SSL decryption when there needs to be reassembly
of the SSL payload. Can you post a single TCP session that shows this
bahavior? Of course for anyone to reproduce the issue, you would also
need to provide the private key. Is this possible? You could send
them to me directly if posting it is an issue. Of course in this
regard I assume you are using a testserver or a test-certificate
specifically for the reproduction.
> If this is a SSL session cache issue how come we are able to decrypt the
> http header but not the body?
Indeed, that votes *against* a SSL cache issue :-)
Cheers,
Sake