 | 1 | initial version |
I see no problem with the decryption:
$ tshark -o tls.keylog_file:ssl-keys.log -r wireshark.pcapng -Y "tls.record.content_type in {20..22}" -T fields -e tcp.stream -e frame.number -e _ws.col.Info | sort -n
11 63 Client Hello
11 65 Server Hello, Change Cipher Spec, Encrypted Extensions, Finished
11 66 Change Cipher Spec, Finished
11 70 SETTINGS[0], WINDOW_UPDATE[0]
18 111 Client Hello
18 172 Server Hello, Certificate, Server Hello Done
18 182 Alert (Level: Fatal, Description: Certificate Unknown)
19 112 Client Hello
19 151 Server Hello, Certificate, Server Hello Done
19 162 Alert (Level: Fatal, Description: Certificate Unknown)
20 116 Client Hello
20 194 Server Hello, Certificate, Server Hello Done
20 209 Alert (Level: Fatal, Description: Certificate Unknown)
21 210 Client Hello
21 273 Server Hello, Certificate, Server Hello Done
21 276 Client Key Exchange, Change Cipher Spec, Finished
21 298 Change Cipher Spec
21 374 Finished
22 219 Client Hello
22 259 Server Hello, Certificate, Server Hello Done
22 260 Client Key Exchange, Change Cipher Spec, Finished
22 313 Change Cipher Spec
22 373 Finished
23 224 Client Hello
23 292 Server Hello, Certificate, Server Hello Done
23 294 Client Key Exchange, Change Cipher Spec, Finished
23 349 Change Cipher Spec
23 380 Finished
24 1923 Client Hello
24 1925 Server Hello
24 1926 Alert (Level: Fatal, Description: Certificate Unknown)
24 1930 Change Cipher Spec, Finished
25 1942 Client Hello
25 1947 Server Hello
25 2059 Change Cipher Spec, Finished
25 2060 Change Cipher Spec, Finished
25 4955 Alert (Level: Warning, Description: Close Notify)
34 2378 Client Hello
34 2381 Server Hello
34 2382 Alert (Level: Fatal, Description: Certificate Unknown)
34 2384 Change Cipher Spec, Finished
35 2389 Client Hello
35 2392 Server Hello
35 2398 Change Cipher Spec, Finished
35 2399 Change Cipher Spec, Finished
35 4936 Alert (Level: Warning, Description: Close Notify)
36 3053 Encrypted Alert
$
All TLS sessions that have a TLS handshake are decrypted, as can be seen by the "finished" handshake message at the end of each TLS handshake.
However, traffic on port 8443 is not automatically dissected as HTTP once it is decrypted. You need to add 8443 to the "SSL/TLS Ports" list in the HTTP protocol preferences.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.