|
Hi Dominic,
The fact that you got it working for one of the two
flows means that the key is ok, you are not using a DH cipher and that all
packets of the SSL handshake are present in the trace (those are the 3 common
problems with decrypting traffic). However, if the other flow does not decrypt,
that could be caused by:
- a missing packet in that flow (unable to
fix)
- the first tcp segment of the first SSL record
received out-of-order (could be fixed with editcap and mergecap, but is not so
trivial)
- duplicate packets in that flow (could be fixed by
using 'editcap -d <infile> <outfile>')
If those are not the case, are you able to provide
the capture file and the key? Or is this a production environment?
Cheers,
Sake
----- Original Message -----
Sent: Tuesday, September 29, 2009 11:26
AM
Subject: [Wireshark-users] Trouble with
SSL dissector - got it half working!
After much trawling and
experimentation I've almost managed to get the SSL dissector working but
strangely I can only decode my incoming http requests (all the responses are
still encrypted). I've tried using the "decode as" option to make it
decode for the client port as well as the server port (although I didn't
expect that to be necessary) and I've tried added the client ip address and
socket as a second "private key" in the configuration. Neither
helped.
I'd appreciate any
suggestions - I'm happy to provide additional details if that would
help.
Thanks,
-Dominic
Unless stated otherwise above:
IBM
United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU
___________________________________________________________________________
Sent
via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
|