Wireshark-users: Re: [Wireshark-users] two way SSL decryption

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 17 Jan 2010 18:04:12 +0100
On Sun, Jan 17, 2010 at 03:48:42PM +0100, T.A. Peelen wrote:
> 
>    I'm confronted with a situation in which both sides of the connection have
>    a certificate to realise a SSL tunnel based on a private key at both ends.
>    However, we encounter a problem in which we are not sure which side of the
>    tunnel causes a problem. To be able to dertemine this I need to decrypt
>    the tunnel. I have private keys of both ends available (it is a
>    test-situation).

Do you mean the SSL connection uses client authentication. Ie. the
server asks the client to authenticate itself with a certificate too? If
so, the private key of the client is not used to encrypt the pre-master
secret that it sends towards the server (it is this PMS that wireshark
decrypts with the server private key to be able to decrypt the session).
So if you configure wireshark with the private key of the server, you
should be fine.

If both sides are able to set up the tunnel, you can supply wireshark
with both keys so each direction can be decrypted. You would have to use
something like this:

<server-ip>,<tunnel-port>,<tunneled-protocol>,<server-key-location>;<client-ip>,<tunnel-port>,<tunneled-protocol>,<client-key-location>

Beware of DH ciphers, when a DH cipher is chosen decryption won't work
as the PMS will be exchanged differently.

Hope this helps,
Cheers,


Sake

PS  Have a look at the slides of the presentation I gave at Sharkfest 
    last year, they might help you in troubleshooting SSL traffic:

    https://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps
            
    or watch the video of my session at:

    http://www.lovemytool.com/blog/2009/06/sake_blok_11.html