Wireshark-users: Re: [Wireshark-users] two way SSL decryption
From: "T.A. Peelen" <tom.peelen@xxxxxxxxxxxxxxx>
Date: Sun, 17 Jan 2010 21:59:57 +0100
Super!

Thank you very much. An excellent presentation it helped me a lot in discovering what to do. Finally I found I was using the wrong private key to decode the stream. Once configured correctly it worked directly.

I think it would be helpfull to have your presentation at the wireshark wiki. It explains much more on configuring SSL-decryption.

Thanks again, Tom.

On 17 jan 2010 18:04 "Sake Blok" <sake@xxxxxxxxxx> wrote:
On Sun, Jan 17, 2010 at 03:48:42PM +0100, T.A. Peelen wrote:

I'm confronted with a situation in which both sides of the connection have
a certificate to realise a SSL tunnel based on a private key at both ends.
However, we encounter a problem in which we are not sure which side of the
tunnel causes a problem. To be able to dertemine this I need to decrypt
the tunnel. I have private keys of both ends available (it is a
test-situation).

Do you mean the SSL connection uses client authentication. Ie. the
server asks the client to authenticate itself with a certificate too? If
so, the private key of the client is not used to encrypt the pre-master
secret that it sends towards the server (it is this PMS that wireshark
decrypts with the server private key to be able to decrypt the session).
So if you configure wireshark with the private key of the server, you
should be fine.

If both sides are able to set up the tunnel, you can supply wireshark
with both keys so each direction can be decrypted. You would have to use
something like this:

<server-ip>,<tunnel-port>,<tunneled-protocol>,<server-key-location>;<client-ip>,<tunnel-port>,<tunneled-protocol>,<client-key-location>

Beware of DH ciphers, when a DH cipher is chosen decryption won't work
as the PMS will be exchanged differently.

Hope this helps,
Cheers,


Sake

PS Have a look at the slides of the presentation I gave at Sharkfest
last year, they might help you in troubleshooting SSL traffic:

https://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps

or watch the video of my session at:

http://www.lovemytool.com/blog/2009/06/sake_blok_11.html


___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe