Resumed SSL session and decryption
Hi, I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured. Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong? Scenario: tcpdump used to capture first session with full SSL Handshake ssldump used to extract pre-maset secret to the file Wireshark is capturing traffic including first session - everything is encrypted pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark) New capture in Wireshark performed Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted. Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake. Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key. Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Piotr
Resumed SSL session and decryption
Hi, I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured. Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong? Scenario: tcpdump used to capture first session with full SSL Handshake ssldump used to extract pre-maset secret to the file Wireshark is capturing traffic including first session - everything is encrypted pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark) New capture in Wireshark performed Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted. Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake. Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key. Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Piotr