Wireshark-users: Re: [Wireshark-users] TLSv1 vs SSL3.0 decoding issue
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Thu, 11 Jun 2009 17:25:12 +0200
Hi Jacob,
 
If you look at the "ServerHello" message, I bet you will see that the BigIP has chosen a DH cipher. The clue to this is that there is a "Server Key Exchange" message (see frame 5). This means that the encryption key that is chosen is also based on information that only the server knows. You can either change the accepted range of ciphers on the BigIP to not include any DH cipher or alter the client to not propose DH ciphers to make decryption possible. If both options are not possible, then I'm afraid you won't be able to do decryption.
 
Cheers,
      Sake
 
PS  If you come to Sharkfest, I am giving a presentation on "SSL troubleshooting" that includes this example amongst other things :-)
----- Original Message -----
From: jacob c
Sent: Thursday, June 11, 2009 4:41 PM
Subject: [Wireshark-users] TLSv1 vs SSL3.0 decoding issue

Hello,
 
I am unable to decode a SSL capture that is using TLSv1. This is an application connecting to a BigIP VIP. I then used an IE browser to connect to the same VIP and it decoded it just fine. I usually have no issues decoding SSL but I can't decode this one and tried several captures from the beginning to make sure I get the initial key exchange. And of course the private key is correct because it work when using my IE browsers. Any ideas would be great. Here are some capture excerpts.
 
App negotiating SSL using TLSv1
 4 0.000976    10.151.59.152         10.62.40.33           SSLv2    Client Hello
      5 0.003939    10.62.40.33           10.151.59.152         TLSv1    Server Hello, Certificate, Server Key Exchange, Server Hello Done
      6 0.009517    10.151.59.152         10.62.40.33           TLSv1    Client Key Exchange
      7 0.108893    10.62.40.33           10.151.59.152         TCP      https > 4255 [ACK] Seq=970 Ack=133 Win=4512 Len=0
      8 0.109370    10.151.59.152         10.62.40.33           TLSv1    Change Cipher Spec, Encrypted Handshake Message
      9 0.110123    10.62.40.33           10.151.59.152         TLSv1    Change Cipher Spec, Encrypted Handshake Message
     10 0.111321    10.151.59.152         10.62.40.33           TLSv1    Application Data
IE v6 Browser negotiating with SSL v3
o.     Time        Source                Destination           Protocol Info
      1 0.000000    10.56.252.90          10.62.40.33           TCP      14624 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1380 WS=0 TSV=0 TSER=0
      2 0.000059    10.62.40.33           10.56.252.90          TCP      https > 14624 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1460 WS=0 TSV=3429125276 TSER=0
      3 0.000475    10.56.252.90          10.62.40.33           TCP      14624 > https [ACK] Seq=1 Ack=1 Win=65535 Len=0 TSV=7207995 TSER=3429125276
      4 0.020255    10.56.252.90          10.62.40.33           SSLv2    Client Hello
      5 0.020302    10.62.40.33           10.56.252.90          SSLv3    Server Hello, Certificate, Server Hello Done
      6 0.021714    10.56.252.90          10.62.40.33           SSLv3    Client Key Exchange, Change Cipher Spec, Finished
      7 0.022390    10.62.40.33           10.56.252.90          SSLv3    Change Cipher Spec, Finished
      8 0.113509    10.56.252.90          10.62.40.33           TCP      14624 > https [FIN, ACK] Seq=283 Ack=827
 
Thank you,


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe