Hello, I'm trying to decrypt some SSL traffic. The connection initiator talk to port 37000. It talks a proprietary protocol (one not present in wireshark). I have the keys of the initiator and the listener. I am capturing on the listener. What should my RSA keys list be?
Should it be: 127.0.0.1,3700,3700,e:\keys\initiator.key? or maybe 127.0.0.1,3700,3700,e:\keys\listener.key? I don't get decrypted data in either case. SSL log says, in second case: ===Begin SSL log=== ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key ssl_get_version: 1.5.0 ssl_init private key file c:\keys\initiator.key successfully loaded association_add port 37000 protocol 37000 handle 00000000 ===End SSL log=== Can decryption only occur if the conversation is sniffed from its beginning? Do I need both initiator and listener keys? Why is there both a port and protocol specified? How would you differentiate two protocols on the same port? What if the protocol is unknown, (or at least there's no dissector for it?) Thanks _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
