$RCSID$ If you're having trouble getting ssldump to do what you want, please read this file prior to sending mail to me or ssldump-users. PROBLEM 1: ssldump doesn't show anything Case 1: Are you listening on the right interface? The -i flag lets you control the interface you're listening on. If the client and the server are on the same machine, you may need to listen on localhost (typically lo0) rather than the default interface. On the other hand, if they're not on the same machine, lo0 will stop you from seeing the traffic. Case 2: Is there anything to show? Try using tcpdump. Does it show anything? You should see traffic between the hosts and ports of interest. If you don't the problem lies somewhere else than ssldump. Case 3: Are you picking up a connection in the middle? ssldump can only process connections that are established while ssldump is running. You can't turn it on after the connection has been established. PROBLEM 2: decryption doesn't work This is probably the most common problem that people have with ssldump. First, it's important to realize that ssldump cannot decrypt all connections because of the way that SSL works. There's nothing we can do about this but learn to recognize and avoid shose cases. Case 1: No private key If ssldump is going to decrypt the traffic it needs to have the server's private key. You provide it with the '-k' option. The kay password (if needed) is provide with the '-p' option. Case 2: Wrong private key Check to make sure that your private key is actually the right one. Case 3: Ephemeral keying If SSL is using one of the ephemeral keying modes then ssldump cannot decrypt the data. These modes include essentially all of the DH cipher suites as well as the RSA_EXPORT cipher suites (though not the RSA_EXPORT1024) cipher suites. A sure sign of this case is when the server is sending the ServerKeyExchange message. If you want to decrypt the connection, you'll have to turn off these cipher suites on the client or server. If you're getting EXPORT cipher suites, this probably means you have only an export client and it's time to upgrade. Case 4: Session resumption SSL incorporates a mode where the keying material from one connection can be reused with another connection. ssldump knows how to handle this situation but it needs to have seen the original connection. If you just turn ssldump on in time to catch the second connection it won't be able to decrypt it. A resumed handshake is pretty easy to identify. The client offers a session ID, like so: 6 1 0.0012 (0.0012) C>S Handshake ClientHello Version 3.1 resume [32]= 17 08 3b dd af 90 2e 92 95 20 26 cb 88 4c 8b 85 5c 71 86 0b 28 70 d6 95 9b c9 09 95 9e 7d 99 eb cipher suites TLS_RSA_WITH_RC4_128_SHA ... cipher suite list trimmed .. compression methods NULL 6 2 0.0018 (0.0006) S>C Handshake ServerHello Version 3.1 session_id[32]= 17 08 3b dd af 90 2e 92 95 20 26 cb 88 4c 8b 85 5c 71 86 0b 28 70 d6 95 9b c9 09 95 9e 7d 99 eb cipherSuite TLS_RSA_WITH_RC4_128_SHA compressionMethod NULL