Re: two way SSL decryption

["T.A. Peelen" <tom.peelen () open-consult nl>]

Super!

Thank you very much. An excellent presentation it helped me a lot in
discovering what to do. Finally I found I was using the wrong private
key to decode the stream. Once configured correctly it worked directly.

I think it would be helpfull to have your presentation at the wireshark
wiki. It explains much more on configuring SSL-decryption.

Thanks again, Tom.

On 17 jan 2010 18:04 "Sake Blok" <sake () euronet nl> wrote:

> On Sun, Jan 17, 2010 at 03:48:42PM +0100, T.A. Peelen wrote:
> > I'm confronted with a situation in which both sides of the
> > connection have
> > a certificate to realise a SSL tunnel based on a private key at both
> > ends.
> > However, we encounter a problem in which we are not sure which side
> > of the
> > tunnel causes a problem. To be able to dertemine this I need to
> > decrypt
> > the tunnel. I have private keys of both ends available (it is a
> > test-situation).
>
> Do you mean the SSL connection uses client authentication. Ie. the
> server asks the client to authenticate itself with a certificate too?
> If
> so, the private key of the client is not used to encrypt the
> pre-master
> secret that it sends towards the server (it is this PMS that wireshark
> decrypts with the server private key to be able to decrypt the
> session).
> So if you configure wireshark with the private key of the server, you
> should be fine.
>
> If both sides are able to set up the tunnel, you can supply wireshark
> with both keys so each direction can be decrypted. You would have to
> use
> something like this:
>
> ,,,;,,, Beware of DH ciphers, when a DH cipher is chosen decryption
> won't work
> as the PMS will be exchanged differently.
>
> Hope this helps,
> Cheers,
>
>
> Sake
>
> PS Have a look at the slides of the presentation I gave at Sharkfest
> last year, they might help you in troubleshooting SSL traffic:
>
> <https://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_wi
> th_Wireshark_and_Tshark.pps>
>
> or watch the video of my session at:
>
> <http://www.lovemytool.com/blog/2009/06/sake_blok_11.html>
>
>
> ______________________________________________________________________
> _____
> Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives: <http://www.wireshark.org/lists/wireshark-users>
> Unsubscribe: <https://wireshark.org/mailman/options/wireshark-users>
> mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe