Wireshark mailing list archives
Re: question about bug 3303
From: Sake Blok <sake () euronet nl>
Date: Tue, 7 Sep 2010 13:31:03 +0200
On 7 sep 2010, at 12:01, kolos_ws () ural2 hu wrote:
This is what I see in my capture that makes me think this might be the same issue: [..] 216 <timestamp> <srcip> <dstip> TCP [TCP segment of a reassembled PDU] 217 <timestamp> <srcip> <dstip> TLSv1 Server Hello, Certificate, Server Key Exchange, Server Hello Done [..]I kind of missed the " Certificate, Server Key Exchange" before. But this means it is a totally different issue. This means the keying material is not created by the client and sent to the server encrypted with it's public key. Instead of that the DH algorithm is used to negotiate keying material. Wireshark is not able to decrypt sessions that used DH to negotiate keys. You can see this by looking at the chosen cipher in the ServerHello message. It should have DH in the ciphername. You can circumvent this by restricting the allowed ciphers on either the client or the server.Indeed, you were right. Thank you!
You're welcome :-)
Just out of interest, will Wireshark support the decryption of sessions that used DH to negotiate keys?
Since DH uses keys that are generated on the fly, Wireshark would need some keying material from either the client or the server for those sessions to make it possible. There is some work in Chrome/Firefox to be able to log that session information and an enhancement request for Wireshark to import it. However, you would need to have a custom compiled version of Chrome/Firefox to be able to decrypt DH based SSL sessions. In short, yes, there will be more possibilities in the future, but not a general solution to be able to decrypt any SSL session that uses DH. Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- question about bug 3303 kolos_ws (Sep 03)
- Re: question about bug 3303 Sake Blok (Sep 03)
- Re: question about bug 3303 kolos_ws (Sep 03)
- Re: question about bug 3303 Sake Blok (Sep 03)
- Re: question about bug 3303 Sake Blok (Sep 03)
- Re: question about bug 3303 kolos_ws (Sep 06)
- Re: question about bug 3303 Sake Blok (Sep 06)
- Re: question about bug 3303 kolos_ws (Sep 07)
- Re: question about bug 3303 Sake Blok (Sep 07)
- Re: question about bug 3303 kolos_ws (Sep 07)
- Re: question about bug 3303 Sake Blok (Sep 07)
- Re: question about bug 3303 kolos_ws (Sep 03)
- Re: question about bug 3303 Sake Blok (Sep 03)