Hacker News new | ask | show | jobs
by fl_ciq 1414 days ago
The application keys definitely do. The handshake keys are modified and at some point become useless to tshark. Not sure if it is a defensive coding thing, or what, but yeah if we don't catch it at the exact right moment they don't work.
1 comments
josephcsible 1414 days ago
Okay, that makes sense. What do you need the handshake keys for, though? Aren't the application keys enough to decrypt all of the data that you need to?
link
fl_ciq 1414 days ago
I think it's related to perfect forward secrecy. We used curl's SSLKEYLOGFILE environment variable to find out what tshark needed and then worked to reproduce what curl was producing.
link