I have a commercial client > server application that uses SSL to encrypt data between the two end-points and I want to decrypt it. FWIW it's using a non-standard port(it doesn't use port 443, 389, etc). In the Edit > Preferences > Protocols > SSL > RSA keys list: field, there's a parameter to specify a protocol. In the examples I've seen the protocol listed is a clear text protocol(like HTTP or LDAP) but I don't know what the commercial application uses. Is there a way for me to tell without asking the vendor? Or what should go in the protocol field? When I decode it I can see the handshake data but the Application Data is still encrypted. I have the private key since it resides on the server so it seems I'm only missing the protocol. Thanks, Gary asked 19 Jul '13, 17:16  GaryT edited 19 Jul '13, 20:25 |
One Answer:
The handshake is always un-encrypted up to (and including) the "ChangeCipherSpec", then the last handshake message is "Finished". It will show as "Encrypted Handshake Message" when there is no decryption and it will show up as "Finished" if decryption is being done. Do you see a "Finished" handshake message in both directions? If not, decryption is not working and could have several causes, the most common ones are:
If you do see both "Finished" messages, the application data should not be visible. If you are not sure which protocol is used inside SSL then you can use the protocol "data" in the RSA keys list, it will just show the decrypted data without any further dissection. You can then do a "follow SSL stream" to manually determine the protocol... answered 20 Jul '13, 05:26  SYN-bit ♦♦ |
Thank-you. That was just what I needed.
For future reference to others, did you see the "Finished" SSL handshake messages? And if not, what part of my answer was helpful in solving your issue?