If you're having trouble getting ssldump to do what you want,
please read this file prior to sending mail to me or
ssldump-users.

PROBLEM 1: ssldump doesn't show anything

Case 1: Are you listening on the right interface?
The -i flag lets you control the interface you're listening on.

If the client and the server are on the same machine, you may need to
listen on localhost (typically lo0) rather than the default
interface. On the other hand, if they're not on the same machine, lo0
will stop you from seeing the traffic.

       
Case 2: Is there anything to show?
Try using tcpdump. Does it show anything? You should see traffic
between the hosts and ports of interest. If you don't the problem lies
somewhere else than ssldump.


Case 3: Are you picking up a connection in the middle?
ssldump can only process connections that are established while
ssldump is running. You can't turn it on after the connection
has been established.



PROBLEM 2: decryption doesn't work
This is probably the most common problem that people have with
ssldump. First, it's important to realize that ssldump cannot decrypt
all connections because of the way that SSL works. There's nothing we
can do about this but learn to recognize and avoid shose cases.

Case 1: No private key
If ssldump is going to decrypt the traffic it needs to have the
server's private key. You provide it with the '-k' option. The kay
password (if needed) is provide with the '-p' option.

Case 2: Wrong private key
Check to make sure that your private key is actually the right one.

Case 3: Ephemeral keying
If SSL is using one of the ephemeral keying modes then ssldump cannot
decrypt the data. These modes include essentially all of the DH cipher
suites as well as the RSA_EXPORT cipher suites (though not the
RSA_EXPORT1024) cipher suites. A sure sign of this case is when
the server is sending the ServerKeyExchange message. 

If you want to decrypt the connection, you'll have to turn off these
cipher suites on the client or server. If you're getting EXPORT cipher
suites, this probably means you have only an export client and it's
time to upgrade.


Case 4: Session resumption
SSL incorporates a mode where the keying material from one 
connection can be reused with another connection. ssldump knows
how to handle this situation but it needs to have seen the
original connection. If you just turn ssldump on in time to
catch the second connection it won't be able to decrypt it.

A resumed handshake is pretty easy to identify. The client
offers a session ID, like so:


6 1  0.0012 (0.0012)  C>S  Handshake
      ClientHello
        Version 3.1 
        resume [32]=
          17 08 3b dd af 90 2e 92 95 20 26 cb 88 4c 8b 85 
          5c 71 86 0b 28 70 d6 95 9b c9 09 95 9e 7d 99 eb 
        cipher suites
        TLS_RSA_WITH_RC4_128_SHA
	... cipher suite list trimmed ..
        compression methods
                  NULL
6 2  0.0018 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          17 08 3b dd af 90 2e 92 95 20 26 cb 88 4c 8b 85 
          5c 71 86 0b 28 70 d6 95 9b c9 09 95 9e 7d 99 eb 
        cipherSuite         TLS_RSA_WITH_RC4_128_SHA
        compressionMethod                   NULL
