Wireshark-users: Re: [Wireshark-users] SSL issue not decoding data

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 2 May 2008 07:46:19 +0200

On Thu, May 01, 2008 at 05:27:05PM -0700, Guy Harris wrote:
> 
> On May 1, 2008, at 2:54 PM, Sake Blok wrote:
> 
> > This line indicates that the SSL session at hand is actually a reused
> > SSL session with a short handshake. Wireshark needs the full SSL  
> > handshake
> > to be able to calculate all the keys.
> 
> Should this somehow be indicated in the UI - possibly even in the  
> dissection itself, so it's indicated in both Wireshark and TShark - so  
> that it's more obvious why you're not getting any decryption done?

Well, one option would be to have expert-messages, but I'm not really
fond of that idea. There is nothing "wrong" with the traffic so we 
don't want people starting to think their ssl sessions fail, just
because there are expert-messages stating *shark can't decrypt the
traffic.

I would think an SSL-decryption wiki-page gives more room to really
explain what's going on in different situations. We could add a link
to that wiki-page from the ssl preferences. That excludes tshark
users a bit, but wouldn't they have started with SSL decryption
in wireshark before they started using it in tshark?

Any other ideas? If not, I will try to find some time to work on
a detailed ssl decryption page, as there are quite a bit of questions
asked about "Why doesn't wireshark decrypt my ssl traffic".

Cheers,
    Sake


PS  I just thought of something else, we could also link to the
    wiki-page at the top of the ssl-debug file :-)