Hello, I'm trying to decrypt some SSL traffic.
The connection initiator talk to port 37000. It talks a proprietary
protocol (one not present in wireshark). I have the keys of the
initiator and the listener. I am capturing on the listener. What should
my RSA keys list be?
Should it be:
127.0.0.1,3700,3700,e:\keys\initiator.key?
or maybe
127.0.0.1,3700,3700,e:\keys\listener.key?
I don't get decrypted data in either case. SSL log says, in second case:
===Begin SSL log===
ssl_init keys string 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init found host entry 127.0.0.1,37000,37000,c:\keys\initiator.key
ssl_init addr 127.0.0.1 port 37000 filename c:\keys\initiator.key
ssl_get_version: 1.5.0
ssl_init private key file c:\keys\initiator.key successfully loaded
association_add port 37000 protocol 37000 handle 00000000
===End SSL log===
Can decryption only occur if the conversation is sniffed from its
beginning?
Do I need both initiator and listener keys?
Why is there both a port and protocol specified? How would you
differentiate two protocols on the same port? What if the protocol is
unknown, (or at least there's no dissector for it?)
Thanks
