Wireshark-users: Re: [Wireshark-users] tshark SSL Decryption
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 May 2008 10:57:36 -0600
Sake, Ok I've attached parts of the debug file. There is no "Unknown Record" in this file or the output of tshark. Some more info on the environment. Its very high load and these are http SOAP calls. So the client is a SOAP client not a browser. One other thing. When we run tshark we have to start it with "data" not "http". If we start it with http we won't see anything. Not even the headers. So the argument to tshark looks like this (note the data after 443). tshark -i 1 -R ssl.app_data -V -l -d tcp.port\=\=8001,http -o ssl.keys_list\:192.168.15.30,443,data,/Wireshark/cert.pem I won't be able to send you the private key. This is financial institution and the same certificate is used in the qa and prod. Let me know if you need anything else from me and I can provide it for you. Could it be possible that the header is sent as part of a different session than the body and the response? I really appreciate your help on this. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/Wireshark/cert.pem ssl_init found host entry 192.168.15.30,443,http,/Wireshark/cert.pem ssl_init addr '192.168.15.30' port '443' filename '/Wireshark/cert.pem' password(only for p12 file) '(null)' ssl_init private key file /Wireshark/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x7a23d0 association_find: TCP port 993 found 0x9747d00 ssl_association_remove removing TCP 993 - imap handle 0x7a8d50 association_add TCP port 993 protocol imap handle 0x7a8d50 association_find: TCP port 995 found 0x9747d40 ssl_association_remove removing TCP 995 - pop handle 0x7b5e50 association_add TCP port 995 protocol pop handle 0x7b5e50 dissect_ssl enter frame #1126 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl, state 0x11 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 612 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes, remaining 696 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes, remaining 705 dissect_ssl enter frame #1127 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x17 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 612 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes, remaining 696 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes, remaining 705 dissect_ssl enter frame #1130 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 134 ssl, state 0x17 association_find: TCP port 37207 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17 dissect_ssl3_handshake can't find private key dissect_ssl enter frame #1131 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 134 ssl, state 0x17 association_find: TCP port 37207 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17 dissect_ssl3_handshake can't find private key dissect_ssl enter frame #1132 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec association_find: TCP port 37207 found 0x0 packet_from_server: is from server - FALSE ssl_change_cipher CLIENT dissect_ssl enter frame #1133 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec association_find: TCP port 37207 found 0x0 packet_from_server: is from server - FALSE ssl_change_cipher CLIENT dissect_ssl enter frame #1138 (first time) conversation = 0x981e4a8, ssl_session = 0x981f710 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 240 ssl, state 0x17 association_find: TCP port 39614 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 39614 found 0x0 association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1139 (first time) conversation = 0x981e4a8, ssl_session = 0x981f710 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 240 ssl, state 0x17 association_find: TCP port 39614 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 39614 found 0x0 association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1142 (first time) conversation = 0x981e4a8, ssl_session = 0x981f710 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 48 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1143 (first time) conversation = 0x981e4a8, ssl_session = 0x981f710 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 48 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1149 (first time) conversation = 0x982a7e8, ssl_session = 0x982af30 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 63 ssl, state 0x01 association_find: TCP port 37208 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 59 bytes, remaining 68 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #1152 (first time) conversation = 0x9826800, ssl_session = 0x9827e48 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 352 ssl, state 0x1F association_find: TCP port 39617 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 352 Ciphertext[352]: 54 3e 13 f2 c0 a0 ad 46 e9 65 c6 e7 24 13 35 eb 62 aa f3 5a 52 89 01 0f 10 2a 96 db ef b5 32 fe 1a 26 b9 24 63 2b 19 09 b7 a8 27 23 ba d7 45 ac 6a 5d f5 2e 48 5b 9c cf 9c ae 6e b5 36 1a b0 a0 d2 87 9a 8b 9b ae 3f bf 9c e1 88 7c 7b 2b 0e f7 35 61 68 f7 f4 c9 2d a0 c2 c6 42 ef 38 b5 92 07 40 93 1e c6 3c da 55 52 01 df 06 9d 41 e4 39 fa da 9d f3 45 87 1c a0 8f bf 54 27 48 58 bf ae 25 e3 dd f9 41 19 f8 e9 3c 36 03 d3 f3 d5 39 35 e5 06 22 6d ea 9c b2 a1 81 72 f4 be 93 aa d9 a3 c6 b3 a4 fb e5 28 db f6 c3 30 20 e3 7a a2 f5 9e 8e b1 61 27 4b cb 84 0a 41 19 af ad 44 6e 49 27 52 5b e7 91 73 f3 ce 83 9b 7c 0a b0 4a a6 ef 73 f6 ea 9f 56 b8 1b 68 67 5d 6f dc 47 c6 1a 78 1d 73 fb 96 e1 f6 86 54 b5 f8 18 11 ad d8 88 06 3d 43 ca 5c 27 5a 78 46 a1 4b f8 04 c3 3f 77 38 eb d3 67 ea bc 71 83 e1 c9 01 1b 4d 81 1f 0d b0 32 be 02 2b 63 3b 2a d6 0e 3f 01 9e b0 1a 1b c7 cb 0b 60 c4 dc 75 92 42 b8 12 c8 da 6c e7 75 90 a4 91 50 5a db 1d f9 8f ff ce d2 5c 5f f4 bd d2 73 ac 55 8e c0 b7 c8 3c f5 6c 5e 73 7c c4 2b 71 c4 6b 0a 8f 34 fd 45 34 7d a6 85 8c 9b cd a3 21 cb 2a Plaintext[352]: 50 4f 53 54 20 2f 53 74 72 6f 6e 67 41 75 74 68 2f 50 56 51 49 6e 71 75 69 72 79 56 32 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 4d 53 20 57 65 62 20 53 65 72 76 69 63 65 73 20 43 6c 69 65 6e 74 20 50 72 6f 74 6f 63 6f 6c 20 31 2e 31 2e 34 33 32 32 2e 32 33 30 30 29 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 79 61 57 78 73 61 57 46 75 63 48 4a 76 65 48 6b 36 49 79 4e 77 63 6d 39 34 65 54 45 79 4d 77 3d 3d 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 53 4f 41 50 41 63 74 69 6f 6e 3a 20 22 22 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 31 31 0d 0a 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 0d 0a 48 6f 73 74 3a 20 78 6d 6c 67 77 2d 70 72 6f 64 2d 68 61 2e 73 6f 61 2e 73 79 6e 6f 76 75 73 2e 63 6f 6d 0d 0a 0d 0a 00 b6 44 df 13 2c 69 6a bb 2a 95 55 15 9e 94 d6 57 a7 a4 4b 00 ssl_decrypt_record found padding 0 final len 351 checking mac (len 331, version 300, ct 23 seq 1) ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 331, seq = 0, nxtseq = 331 association_find: TCP port 39617 found 0x0 association_find: TCP port 443 found 0x97799b0 dissect_ssl3_record decrypted len 331 decrypted app data fragment: POST /StrongAuth/PVQInquiryV2 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 1.1.4322.2300) Authorization: Basic Content-Type: text/xml; charset=utf-8 SOAPAction: "" Content-Length: 411 Expect: 100-continue Host: ********** dissect_ssl3_record found association 0x97799b0 dissect_ssl enter frame #1153 (first time) conversation = 0x9826800, ssl_session = 0x9827e48 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 352 ssl, state 0x1F association_find: TCP port 39617 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 352 Ciphertext[352]: 54 3e 13 f2 c0 a0 ad 46 e9 65 c6 e7 24 13 35 eb 62 aa f3 5a 52 89 01 0f 10 2a 96 db ef b5 32 fe 1a 26 b9 24 63 2b 19 09 b7 a8 27 23 ba d7 45 ac 6a 5d f5 2e 48 5b 9c cf 9c ae 6e b5 36 1a b0 a0 d2 87 9a 8b 9b ae 3f bf 9c e1 88 7c 7b 2b 0e f7 35 61 68 f7 f4 c9 2d a0 c2 c6 42 ef 38 b5 92 07 40 93 1e c6 3c da 55 52 01 df 06 9d 41 e4 39 fa da 9d f3 45 87 1c a0 8f bf 54 27 48 58 bf ae 25 e3 dd f9 41 19 f8 e9 3c 36 03 d3 f3 d5 39 35 e5 06 22 6d ea 9c b2 a1 81 72 f4 be 93 aa d9 a3 c6 b3 a4 fb e5 28 db f6 c3 30 20 e3 7a a2 f5 9e 8e b1 61 27 4b cb 84 0a 41 19 af ad 44 6e 49 27 52 5b e7 91 73 f3 ce 83 9b 7c 0a b0 4a a6 ef 73 f6 ea 9f 56 b8 1b 68 67 5d 6f dc 47 c6 1a 78 1d 73 fb 96 e1 f6 86 54 b5 f8 18 11 ad d8 88 06 3d 43 ca 5c 27 5a 78 46 a1 4b f8 04 c3 3f 77 38 eb d3 67 ea bc 71 83 e1 c9 01 1b 4d 81 1f 0d b0 32 be 02 2b 63 3b 2a d6 0e 3f 01 9e b0 1a 1b c7 cb 0b 60 c4 dc 75 92 42 b8 12 c8 da 6c e7 75 90 a4 91 50 5a db 1d f9 8f ff ce d2 5c 5f f4 bd d2 73 ac 55 8e c0 b7 c8 3c f5 6c 5e 73 7c c4 2b 71 c4 6b 0a 8f 34 fd 45 34 7d a6 85 8c 9b cd a3 21 cb 2a Plaintext[352]: cc 66 4b c7 0c a2 8f fd 72 6f 6e 67 41 75 74 68 2f 50 56 51 49 6e 71 75 69 72 79 56 32 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 4d 53 20 57 65 62 20 53 65 72 76 69 63 65 73 20 43 6c 69 65 6e 74 20 50 72 6f 74 6f 63 6f 6c 20 31 2e 31 2e 34 33 32 32 2e 32 33 30 30 29 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 79 61 57 78 73 61 57 46 75 63 48 4a 76 65 48 6b 36 49 79 4e 77 63 6d 39 34 65 54 45 79 4d 77 3d 3d 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 53 4f 41 50 41 63 74 69 6f 6e 3a 20 22 22 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 31 31 0d 0a 45 78 70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 75 65 0d 0a 48 6f 73 74 3a 20 78 6d 6c 67 77 2d 70 72 6f 64 2d 68 61 2e 73 6f 61 2e 73 79 6e 6f 76 75 73 2e 63 6f 6d 0d 0a 0d 0a 00 b6 44 df 13 2c 69 6a bb 2a 95 55 15 9e 94 d6 57 a7 a4 4b 00 ssl_decrypt_record found padding 0 final len 351 checking mac (len 331, version 300, ct 23 seq 2) ssl_decrypt_record: mac failed association_find: TCP port 39617 found 0x0 association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1154 (first time) conversation = 0x9826800, ssl_session = 0x9827e48 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 48 ssl, state 0x1F association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1155 (first time) conversation = 0x9826800, ssl_session = 0x9827e48 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 48 ssl, state 0x1F association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0x97799b0 dissect_ssl enter frame #1158 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 36 ssl, state 0x17 association_find: TCP port 37207 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 135 offset 5 length 10551574 bytes, remaining 41 dissect_ssl enter frame #1159 (first time) conversation = 0x982a0f0, ssl_session = 0x982a458 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 36 ssl, state 0x17 association_find: TCP port 37207 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 135 offset 5 length 10551574 bytes, remaining 41 dissect_ssl enter frame #1160 (first time) conversation = 0x982a7e8, ssl_session = 0x982af30 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl, state 0x11 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 612 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes, remaining 696 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes, remaining 705 dissect_ssl enter frame #1161 (first time) conversation = 0x982a7e8, ssl_session = 0x982af30 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x17 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 612 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes, remaining 696 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl, state 0x17 association_find: TCP port 443 found 0x97799b0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes, remaining 705 -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok Sent: Tuesday, May 27, 2008 3:42 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] tshark SSL Decryption On Tue, May 27, 2008 at 01:38:47PM -0600, Al Aghili wrote: > > I've posted this once before but didn't get any answers so trying again. Well, not quite, you did get some answers and said you would try out the suggestions ;-) http://www.wireshark.org/lists/wireshark-users/200803/msg00050.html > We are trying to decrypt SSL traffic in our network but for some reason > tshark is only able to decrypt the http headers of the request. So not > the request body or the any of the response from the server. What could > be going on? Is there an "Unknown Record" frame between after the http header? I think there is a bug in the SSL decryption when there needs to be reassembly of the SSL payload. Can you post a single TCP session that shows this bahavior? Of course for anyone to reproduce the issue, you would also need to provide the private key. Is this possible? You could send them to me directly if posting it is an issue. Of course in this regard I assume you are using a testserver or a test-certificate specifically for the reproduction. > If this is a SSL session cache issue how come we are able to decrypt the > http header but not the body? Indeed, that votes *against* a SSL cache issue :-) Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
- Follow-Ups:
- Re: [Wireshark-users] tshark SSL Decryption
- From: Sake Blok
- Re: [Wireshark-users] tshark SSL Decryption
- From: Sake Blok
- Re: [Wireshark-users] tshark SSL Decryption
- References:
- Re: [Wireshark-users] tshark SSL Decryption
- From: Sake Blok
- Re: [Wireshark-users] tshark SSL Decryption
- Prev by Date: [Wireshark-users] libpcap library usage
- Next by Date: Re: [Wireshark-users] libpcap library usage
- Previous by thread: Re: [Wireshark-users] tshark SSL Decryption
- Next by thread: Re: [Wireshark-users] tshark SSL Decryption
- Index(es):