Wireshark-users: Re: [Wireshark-users] tshark SSL Decryption
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 May 2008 10:57:36 -0600
Sake,
Ok I've attached parts of the debug file. There is no "Unknown Record"
in this file or the output of tshark. Some more info on the environment.
Its very high load and these are http SOAP calls. So the client is a
SOAP client not a browser.
One other thing. When we run tshark we have to start it with "data" not
"http". If we start it with http we won't see anything. Not even the
headers. So the argument to tshark looks like this (note the data after
443).

tshark  -i 1 -R ssl.app_data  -V -l -d tcp.port\=\=8001,http  -o
ssl.keys_list\:192.168.15.30,443,data,/Wireshark/cert.pem


I won't be able to send you the private key. This is financial
institution and the same certificate is used in the qa and prod. Let me
know if you need anything else from me and I can provide it for you.

Could it be possible that the header is sent as part of a different
session than the body and the response?

I really appreciate your help on this.

Thanks
Al













ssl_init keys string:
192.168.15.30,443,http,/Wireshark/cert.pem
ssl_init found host entry 192.168.15.30,443,http,/Wireshark/cert.pem
ssl_init addr '192.168.15.30' port '443' filename '/Wireshark/cert.pem'
password(only for p12 file) '(null)'
ssl_init private key file /Wireshark/cert.pem successfully loaded
association_add TCP port 443 protocol http handle 0x7a23d0
association_find: TCP port 993 found 0x9747d00
ssl_association_remove removing TCP 993 - imap handle 0x7a8d50
association_add TCP port 993 protocol imap handle 0x7a8d50
association_find: TCP port 995 found 0x9747d40
ssl_association_remove removing TCP 995 - pop handle 0x7b5e50
association_add TCP port 995 protocol pop handle 0x7b5e50

dissect_ssl enter frame #1126 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x11
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required
0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 612 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes,
remaining 696 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes,
remaining 705 

dissect_ssl enter frame #1127 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x17
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required
0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 612 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes,
remaining 696 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes,
remaining 705 

dissect_ssl enter frame #1130 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x17
association_find: TCP port 37207 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes,
remaining 139 
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17
dissect_ssl3_handshake can't find private key

dissect_ssl enter frame #1131 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x17
association_find: TCP port 37207 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes,
remaining 139 
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17
dissect_ssl3_handshake can't find private key

dissect_ssl enter frame #1132 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 37207 found 0x0
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT

dissect_ssl enter frame #1133 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 37207 found 0x0
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT

dissect_ssl enter frame #1138 (first time)
  conversation = 0x981e4a8, ssl_session = 0x981f710
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 240 ssl, state 0x17
association_find: TCP port 39614 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 39614 found 0x0
association_find: TCP port 443 found 0x97799b0
dissect_ssl enter frame #1139 (first time)
  conversation = 0x981e4a8, ssl_session = 0x981f710
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 240 ssl, state 0x17
association_find: TCP port 39614 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 39614 found 0x0
association_find: TCP port 443 found 0x97799b0

dissect_ssl enter frame #1142 (first time)
  conversation = 0x981e4a8, ssl_session = 0x981f710
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 48 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0x97799b0

dissect_ssl enter frame #1143 (first time)
  conversation = 0x981e4a8, ssl_session = 0x981f710
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 48 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0x97799b0

dissect_ssl enter frame #1149 (first time)
  conversation = 0x982a7e8, ssl_session = 0x982af30
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 63 ssl, state 0x01
association_find: TCP port 37208 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 59 bytes,
remaining 68 
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #1152 (first time)
  conversation = 0x9826800, ssl_session = 0x9827e48
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 352 ssl, state 0x1F
association_find: TCP port 39617 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 352
Ciphertext[352]:
54 3e 13 f2 c0 a0 ad 46 e9 65 c6 e7 24 13 35 eb 
62 aa f3 5a 52 89 01 0f 10 2a 96 db ef b5 32 fe 
1a 26 b9 24 63 2b 19 09 b7 a8 27 23 ba d7 45 ac 
6a 5d f5 2e 48 5b 9c cf 9c ae 6e b5 36 1a b0 a0 
d2 87 9a 8b 9b ae 3f bf 9c e1 88 7c 7b 2b 0e f7 
35 61 68 f7 f4 c9 2d a0 c2 c6 42 ef 38 b5 92 07 
40 93 1e c6 3c da 55 52 01 df 06 9d 41 e4 39 fa 
da 9d f3 45 87 1c a0 8f bf 54 27 48 58 bf ae 25 
e3 dd f9 41 19 f8 e9 3c 36 03 d3 f3 d5 39 35 e5 
06 22 6d ea 9c b2 a1 81 72 f4 be 93 aa d9 a3 c6 
b3 a4 fb e5 28 db f6 c3 30 20 e3 7a a2 f5 9e 8e 
b1 61 27 4b cb 84 0a 41 19 af ad 44 6e 49 27 52 
5b e7 91 73 f3 ce 83 9b 7c 0a b0 4a a6 ef 73 f6 
ea 9f 56 b8 1b 68 67 5d 6f dc 47 c6 1a 78 1d 73 
fb 96 e1 f6 86 54 b5 f8 18 11 ad d8 88 06 3d 43 
ca 5c 27 5a 78 46 a1 4b f8 04 c3 3f 77 38 eb d3 
67 ea bc 71 83 e1 c9 01 1b 4d 81 1f 0d b0 32 be 
02 2b 63 3b 2a d6 0e 3f 01 9e b0 1a 1b c7 cb 0b 
60 c4 dc 75 92 42 b8 12 c8 da 6c e7 75 90 a4 91 
50 5a db 1d f9 8f ff ce d2 5c 5f f4 bd d2 73 ac 
55 8e c0 b7 c8 3c f5 6c 5e 73 7c c4 2b 71 c4 6b 
0a 8f 34 fd 45 34 7d a6 85 8c 9b cd a3 21 cb 2a 
Plaintext[352]:
50 4f 53 54 20 2f 53 74 72 6f 6e 67 41 75 74 68 
2f 50 56 51 49 6e 71 75 69 72 79 56 32 20 48 54 
54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 
6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 
28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 
45 20 36 2e 30 3b 20 4d 53 20 57 65 62 20 53 65 
72 76 69 63 65 73 20 43 6c 69 65 6e 74 20 50 72 
6f 74 6f 63 6f 6c 20 31 2e 31 2e 34 33 32 32 2e 
32 33 30 30 29 0d 0a 41 75 74 68 6f 72 69 7a 61 
74 69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 79 
61 57 78 73 61 57 46 75 63 48 4a 76 65 48 6b 36 
49 79 4e 77 63 6d 39 34 65 54 45 79 4d 77 3d 3d 
0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 
74 65 78 74 2f 78 6d 6c 3b 20 63 68 61 72 73 65 
74 3d 75 74 66 2d 38 0d 0a 53 4f 41 50 41 63 74 
69 6f 6e 3a 20 22 22 0d 0a 43 6f 6e 74 65 6e 74 
2d 4c 65 6e 67 74 68 3a 20 34 31 31 0d 0a 45 78 
70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 
75 65 0d 0a 48 6f 73 74 3a 20 78 6d 6c 67 77 2d 
70 72 6f 64 2d 68 61 2e 73 6f 61 2e 73 79 6e 6f 
76 75 73 2e 63 6f 6d 0d 0a 0d 0a 00 b6 44 df 13 
2c 69 6a bb 2a 95 55 15 9e 94 d6 57 a7 a4 4b 00 
ssl_decrypt_record found padding 0 final len 351
checking mac (len 331, version 300, ct 23 seq 1)
ssl_decrypt_record: mac ok
ssl_add_data_info: new data inserted data_len = 331, seq = 0, nxtseq =
331
association_find: TCP port 39617 found 0x0
association_find: TCP port 443 found 0x97799b0
dissect_ssl3_record decrypted len 331
decrypted app data fragment: POST /StrongAuth/PVQInquiryV2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client
Protocol 1.1.4322.2300)

Authorization: Basic 

Content-Type: text/xml; charset=utf-8

SOAPAction: ""

Content-Length: 411

Expect: 100-continue

Host: **********




dissect_ssl3_record found association 0x97799b0

dissect_ssl enter frame #1153 (first time)
  conversation = 0x9826800, ssl_session = 0x9827e48
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 352 ssl, state 0x1F
association_find: TCP port 39617 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 352
Ciphertext[352]:
54 3e 13 f2 c0 a0 ad 46 e9 65 c6 e7 24 13 35 eb 
62 aa f3 5a 52 89 01 0f 10 2a 96 db ef b5 32 fe 
1a 26 b9 24 63 2b 19 09 b7 a8 27 23 ba d7 45 ac 
6a 5d f5 2e 48 5b 9c cf 9c ae 6e b5 36 1a b0 a0 
d2 87 9a 8b 9b ae 3f bf 9c e1 88 7c 7b 2b 0e f7 
35 61 68 f7 f4 c9 2d a0 c2 c6 42 ef 38 b5 92 07 
40 93 1e c6 3c da 55 52 01 df 06 9d 41 e4 39 fa 
da 9d f3 45 87 1c a0 8f bf 54 27 48 58 bf ae 25 
e3 dd f9 41 19 f8 e9 3c 36 03 d3 f3 d5 39 35 e5 
06 22 6d ea 9c b2 a1 81 72 f4 be 93 aa d9 a3 c6 
b3 a4 fb e5 28 db f6 c3 30 20 e3 7a a2 f5 9e 8e 
b1 61 27 4b cb 84 0a 41 19 af ad 44 6e 49 27 52 
5b e7 91 73 f3 ce 83 9b 7c 0a b0 4a a6 ef 73 f6 
ea 9f 56 b8 1b 68 67 5d 6f dc 47 c6 1a 78 1d 73 
fb 96 e1 f6 86 54 b5 f8 18 11 ad d8 88 06 3d 43 
ca 5c 27 5a 78 46 a1 4b f8 04 c3 3f 77 38 eb d3 
67 ea bc 71 83 e1 c9 01 1b 4d 81 1f 0d b0 32 be 
02 2b 63 3b 2a d6 0e 3f 01 9e b0 1a 1b c7 cb 0b 
60 c4 dc 75 92 42 b8 12 c8 da 6c e7 75 90 a4 91 
50 5a db 1d f9 8f ff ce d2 5c 5f f4 bd d2 73 ac 
55 8e c0 b7 c8 3c f5 6c 5e 73 7c c4 2b 71 c4 6b 
0a 8f 34 fd 45 34 7d a6 85 8c 9b cd a3 21 cb 2a 
Plaintext[352]:
cc 66 4b c7 0c a2 8f fd 72 6f 6e 67 41 75 74 68 
2f 50 56 51 49 6e 71 75 69 72 79 56 32 20 48 54 
54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 
6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 
28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 
45 20 36 2e 30 3b 20 4d 53 20 57 65 62 20 53 65 
72 76 69 63 65 73 20 43 6c 69 65 6e 74 20 50 72 
6f 74 6f 63 6f 6c 20 31 2e 31 2e 34 33 32 32 2e 
32 33 30 30 29 0d 0a 41 75 74 68 6f 72 69 7a 61 
74 69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 79 
61 57 78 73 61 57 46 75 63 48 4a 76 65 48 6b 36 
49 79 4e 77 63 6d 39 34 65 54 45 79 4d 77 3d 3d 
0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 
74 65 78 74 2f 78 6d 6c 3b 20 63 68 61 72 73 65 
74 3d 75 74 66 2d 38 0d 0a 53 4f 41 50 41 63 74 
69 6f 6e 3a 20 22 22 0d 0a 43 6f 6e 74 65 6e 74 
2d 4c 65 6e 67 74 68 3a 20 34 31 31 0d 0a 45 78 
70 65 63 74 3a 20 31 30 30 2d 63 6f 6e 74 69 6e 
75 65 0d 0a 48 6f 73 74 3a 20 78 6d 6c 67 77 2d 
70 72 6f 64 2d 68 61 2e 73 6f 61 2e 73 79 6e 6f 
76 75 73 2e 63 6f 6d 0d 0a 0d 0a 00 b6 44 df 13 
2c 69 6a bb 2a 95 55 15 9e 94 d6 57 a7 a4 4b 00 
ssl_decrypt_record found padding 0 final len 351
checking mac (len 331, version 300, ct 23 seq 2)
ssl_decrypt_record: mac failed
association_find: TCP port 39617 found 0x0
association_find: TCP port 443 found 0x97799b0

dissect_ssl enter frame #1154 (first time)
  conversation = 0x9826800, ssl_session = 0x9827e48
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 48 ssl, state 0x1F
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0x97799b0

dissect_ssl enter frame #1155 (first time)
  conversation = 0x9826800, ssl_session = 0x9827e48
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 48 ssl, state 0x1F
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0x97799b0

dissect_ssl enter frame #1158 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 36 ssl, state 0x17
association_find: TCP port 37207 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 135 offset 5 length 10551574
bytes, remaining 41 

dissect_ssl enter frame #1159 (first time)
  conversation = 0x982a0f0, ssl_session = 0x982a458
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 36 ssl, state 0x17
association_find: TCP port 37207 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 135 offset 5 length 10551574
bytes, remaining 41 

dissect_ssl enter frame #1160 (first time)
  conversation = 0x982a7e8, ssl_session = 0x982af30
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x11
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required
0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 612 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes,
remaining 696 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes,
remaining 705 

dissect_ssl enter frame #1161 (first time)
  conversation = 0x982a7e8, ssl_session = 0x982af30
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x17
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required
0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 612 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 608 bytes,
remaining 696 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 0x97799b0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 701 length 0 bytes,
remaining 705






-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Tuesday, May 27, 2008 3:42 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark SSL Decryption

On Tue, May 27, 2008 at 01:38:47PM -0600, Al Aghili wrote:
> 
> I've posted this once before but didn't get any answers so trying
again.

Well, not quite, you did get some answers and said you would try out the
suggestions ;-)

http://www.wireshark.org/lists/wireshark-users/200803/msg00050.html

> We are trying to decrypt SSL traffic in our network but for some
reason
> tshark is only able to decrypt the http headers of the request. So not
> the request body or the any of the response from the server. What
could
> be going on?

Is there an "Unknown Record" frame between after the http header? I
think
there is a bug in the SSL decryption when there needs to be reassembly 
of the SSL payload. Can you post a single TCP session that shows this
bahavior? Of course for anyone to reproduce the issue, you would also
need to provide the private key. Is this possible? You could send
them to me directly if posting it is an issue. Of course in this 
regard I assume you are using a testserver or a test-certificate 
specifically for the reproduction.


> If this is a SSL session cache issue how come we are able to decrypt
the
> http header but not the body?

Indeed, that votes *against* a SSL cache issue :-)

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users