ronnie sahlberg wrote: > On 9/12/06, Andrew Schweitzer <[EMAIL PROTECTED]> wrote: > >> Hello, I'm trying to decrypt some SSL traffic. >> >> The connection initiator talk to port 37000. It talks a proprietary >> protocol (one not present in wireshark). I have the keys of the >> initiator and the listener. I am capturing on the listener. What should >> my RSA keys list be? >> >> Should it be: >> 127.0.0.1,3700,3700,e:\keys\initiator.key? >> or maybe >> >> I don't get decrypted data in either case. SSL log says, in second case: >> >> ===Begin SSL log=== >> ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key >> ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key >> ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key >> ssl_get_version: 1.5.0 >> ssl_init private key file c:\keys\initiator.key successfully loaded >> association_add port 37000 protocol 37000 handle 00000000 >> ===End SSL log=== >> >> >> Can decryption only occur if the conversation is sniffed from its >> beginning? >> > > yes > > >> Do I need both initiator and listener keys? >> > > no the servers key should be sufficient > > >> Why is there both a port and protocol specified? How would you >> > > the protocol is used to tell wireshark what the next payload is, i.e. > what is inside the ssl wrapping > > >> differentiate two protocols on the same port? What if the protocol is >> unknown, (or at least there's no dissector for it?) >> > > then you can probably specify "data" instead to use the "data" dissector > > try: > 127.0.0.1,3700,data,e:\keys\server.key > >> Thanks >> >> _______________________________________________ >> Wireshark-users mailing list >> [email protected] >> http://www.wireshark.org/mailman/listinfo/wireshark-users >> >> > _______________________________________________ > Wireshark-users mailing list > [email protected] > http://www.wireshark.org/mailman/listinfo/wireshark-users > > Hi Ronnie!
As you seem to be the one with some knowledge about the SSL stuff, is there a place where all this is explained? I get the feeling that a lot of current stuff will only be usable to the developers, as no one else get a clue how it's working (including me :-). Could you start a Wiki page about how to use the SSL stuff? Regards, ULFL _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
