Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusResumed SSL session and decryption
Hi,
I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured.
Seems t...
dragonflymr
Cirrostratus
CirrostratusAnswering my own question :-)
Based on test:
Capture with resumed sessions only, pre-master from full handshake attached in Wireshark - no decryption
Capture with resumed sessions only, merged with full handshake session stored before, pre-master from full handshake attached in Wireshark - resumed session decrypted
Indeed even when resumed session handshake is performed, random bytes are exchanged between client and server.
Still, there is no new pre-master exchanged so I am not sure what operations both server and client performs in relation to master secret - is that somehow recalculated but using some simpler method than in full handshake - I am still looking for performance savings in using resumed session vs full handshake.
Conclusion: To be able to decrypt resumed sessions using stored pre-master secret it's necessary to have full handshake session stored and then merge it with capture containing resumed sessions.
Same is true when using private key.
Piotr