Resumed SSL session and decryption

Hi,

 

I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured.

 

Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong?

 

Scenario:

 

• tcpdump used to capture first session with full SSL Handshake
• ssldump used to extract pre-maset secret to the file
• Wireshark is capturing traffic including first session - everything is encrypted
• pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark)
• New capture in Wireshark performed
• Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted.

Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake.

 

Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key.

 

Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

 

Piotr