Wireshark-users: Re: [Wireshark-users] SSL: key exchange 0 different from KEX_RSA (16)

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 5 Jul 2010 20:56:31 +0200
On 5 jul 2010, at 16:29, Guy Deffaux wrote:

> ---> ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA 
> (16) <---

This means wireshark does not see a RSA key exchange and is therefore not able to do decryption based on the servers private key. If you take a look at the ServerHello message, you can see that a DH cipher has been chosen:

Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

(notice the _DHE_)

When a DH cipher is used, the keying material is not encrypted with the servers public key (which can be decrypted with the servers private key), but with dynamically generated keys which are only (temporarily) known to the client and the server. Wireshark is not able to decrypt that.

You can use "--ciphers RSA" with curl to make it only use RSA ciphers. See the manual page for more details.

Hope this helps,
Cheers,


Sake