Wireshark and decoding SSL

Wireshark seems to have been compiled to not permit decoding of SSL. I also tried downloading wireshark and running the ./configure instead of the RPM, and even though I have libgnutls installed it still will not recognize the libraries. I am fairly weak in this area. Does anyone know why the opensuse version will not allow SSL keys to be entered for decoding? If there is a problem does anyone know how to make it work?

Thanks.

On 06/03/2013 08:06 PM, Portree wrote:
> to not permit decoding of SSL

what do you mean? isn’t the stream purposefully encoded to assure
privacy?

hmmmm…perhaps i misunderstand, but isn’t wireshark a networking
forensics and troubleshooting tool and not a tool for cracking codes
of any kind.


dd

On 06/03/2013 12:23 PM, dd wrote:
> On 06/03/2013 08:06 PM, Portree wrote:
>> to not permit decoding of SSL
>
> what do you mean? isn’t the stream purposefully encoded to assure privacy?
>
> hmmmm…perhaps i misunderstand, but isn’t wireshark a networking
> forensics and troubleshooting tool and not a tool for cracking codes of
> any kind.

Yes, you do, but that’s okay. :wink:

Wireshark has the ability to decrypt SSL-based communication which is
useful in cases of troubleshooting when the regular communication medium
is encrypted. Doing so is non-trivial and Wireshark is definitely not
meant for brute-force, but must be fed very specific data (which nobody
should have, other than the admin who is working with the applications
using encryption) and it’s a little daunting. Still, when troubleshooting
something, the ability to leave SSL/TLS enabled is sometimes require for
various reasons.

Going back to the original question, the problem historically has been a
licensing issue between GnuTLS and wireshark. Wireshark folks were using
something like LGPL and GnuTLS was using GPLv3. The two are not
compatible and so, at least on openSUSE and similar, decryption could not
happen because the two products could not be linked. There are
alternatives, like using other SSL libraries, or changing licenses on one
side or another, and I believe semi-recently (months, not years) the
license did change on one side. This all used to work back when GnuTLS
was GPLv2 or something, but they changed with a newer version of their code.

For full details, see Bug# 775737.

Good luck.

Got it in one. It is extremely useful when you are trying to debug application processes. It is fairly useless unless you have access to private keys.

I went and checked the bug number and you are spot on. Excellent reply, thanks. I am very encouraged that other folks who are part of the process are keenly aware of the problem and are working for a resolution. From those of us that would rather do our Wireshark work on our Linux workstation instead of the Winders VM,…Thank You! To those that are working on the issue, if this post reaches you, …Thank you for all you do.

On 06/03/2013 08:58 PM, ab wrote:
> Yes, you do, but that’s okay.

thanks for that, and an enlightening answer…


dd