Wireshark · Wireshark-users: Re: [Wireshark-users] question about bug 3303

Wireshark-users: Re: [Wireshark-users] question about bug 3303

Date: Tue, 7 Sep 2010 12:01:31 +0200 (CEST)

Hi Sake,

This is what I see in my capture that makes me think this might be the
same issue:

[..]
216 <timestamp> <srcip> <dstip> TCP   [TCP segment of a reassembled PDU]
217 <timestamp> <srcip> <dstip> TLSv1 Server Hello, Certificate, Server Key Exchange, Server Hello Done
[..]
I kind of missed the " Certificate, Server Key Exchange" before. Butthis means it is a totally different issue. This means the keyingmaterial is not created by the client and sent to the server encryptedwith it's public key. Instead of that the DH algorithm is used tonegotiate keying material. Wireshark is not able to decrypt sessionsthat used DH to negotiate keys.
You can see this by looking at the chosen cipher in the ServerHellomessage. It should have DH in the ciphername.
You can circumvent this by restricting the allowed ciphers on either theclient or the server.


Indeed, you were right. Thank you!

Just out of interest, will Wireshark support the decryption of sessionsthat used DH to negotiate keys?


Thanks,

Kolos

Follow-Ups:
- Re: [Wireshark-users] question about bug 3303
  - From: Sake Blok

References:
- [Wireshark-users] question about bug 3303
  - From: kolos_ws
- Re: [Wireshark-users] question about bug 3303
  - From: Sake Blok
- Re: [Wireshark-users] question about bug 3303
  - From: kolos_ws
- Re: [Wireshark-users] question about bug 3303
  - From: Sake Blok
- Re: [Wireshark-users] question about bug 3303
  - From: kolos_ws
- Re: [Wireshark-users] question about bug 3303
  - From: Sake Blok

Prev by Date: Re: [Wireshark-users] question about bug 3303
Next by Date: Re: [Wireshark-users] question about bug 3303
Previous by thread: Re: [Wireshark-users] question about bug 3303
Next by thread: Re: [Wireshark-users] question about bug 3303
Index(es):
- Date
- Thread