Hello, I'm analysing the communication between a printer with its own certificate and a server with its own certificate (HTTPs). I'm trying to test a client-server application environment and there's custom software installed inside the printer and inside the server. I've configured 3 RSA Keys List entries: one for the server (443 port) and 2 for the printer (443 and 7627 ports). SSL traffic is completely decoded and everything works well. I'm interested in sending this decoded traffic but I can't send the certificates, so I've been trying to use the SSL Session exporting. I've generated a file that containg 2 Pre-Master Keys but when I try to use it in substitution of the certificates, it doesn't work: I must keep the printer RSA Key List entries (but I can avoid to configure the server entrie). What's the problem? What can I send you to troubleshoot this problem? Thanks asked 12 Apr '13, 10:04  Markus22 edited 13 Apr '13, 06:49  grahamb ♦ |
One Answer:
If I understand you correctly, when you configure wireshark with the 3 private keys, all SSL data is decrypted. And then when you export the SSL session keys and remove the 3 private keys, but instead point wireshark to the exported SSL session keys, you do see the server traffic decrypted, but the SSL traffic to the printer stays encrypted. Is this correct? If so, the reason might be that the printer is not using an SSL cache, so it won't be using SSL SessionID's. The export of the SSL session keys is done based on the SSL SessionID's. Can you verify in your tracefile that all SSL sessions to the printer have a SessionID length of 0? If this is the case, you might want to file an enhancement request on https://bugs.wireshark.org to extend the functionality of the "Export SSL session keys" functionality. It would really help development if you can attach the tracefile and the private key. Of course you might want to make new traces based on a test certificate/key pair (selfsigned is fine). If you're not sure if this is the case, please upload the tracefile to www.cloudshark.org and paste the link to the file here as a comment. If you are able to post the private key here too, that would be most useful, but then you probably should use a self-signed test certificate/key pair first to generate the trace file. answered 12 Apr '13, 22:54  SYN-bit ♦♦ |
