https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227637#M6441 <P>I am trying to decrypt https traffic (using RSA chipher) :<BR /> 1, add the private key </P> <PRE><CODE>./streamfwd --addsslkey test /tmp/server.key </CODE></PRE> <P>2, add 2 lines into streamfwd.conf</P> <PRE><CODE>sslServer.0.address = 10.1.1.98 sslServer.0.port = 443 </CODE></PRE> <P>but WARN found in streamfwd.log <BR /> <EM>access site with Chrome</EM></P> <PRE><CODE>2016-11-14 18:50:56 WARN [139823066740480] (SnifferReactor/PacketProcessor.cpp:515) stream.SnifferReactor - SSL decryption error (TLS session ticket not cached - did not capture the original SSL session?) (ssl) [c=10.1.20.29:2381, s=10.1.1.98:443] </CODE></PRE> <P><EM>access site with IE</EM></P> <PRE><CODE>2016-11-14 18:50:57 WARN [139823066740480] (SnifferReactor/PacketProcessor.cpp:515) stream.SnifferReactor - SSL decryption error (session keys not found - did not capture beginning of SSL session?) (ssl) [c=10.1.20.29:2385, s=10.1.1.98:443] </CODE></PRE> <P>Anyone can help? <BR /> Thanks</P> Mon, 14 Nov 2016 09:56:07 GMT alviszhang 2016-11-14T09:56:07Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227637#M6441 <P>I am trying to decrypt https traffic (using RSA chipher) :<BR /> 1, add the private key </P> <PRE><CODE>./streamfwd --addsslkey test /tmp/server.key </CODE></PRE> <P>2, add 2 lines into streamfwd.conf</P> <PRE><CODE>sslServer.0.address = 10.1.1.98 sslServer.0.port = 443 </CODE></PRE> <P>but WARN found in streamfwd.log <BR /> <EM>access site with Chrome</EM></P> <PRE><CODE>2016-11-14 18:50:56 WARN [139823066740480] (SnifferReactor/PacketProcessor.cpp:515) stream.SnifferReactor - SSL decryption error (TLS session ticket not cached - did not capture the original SSL session?) (ssl) [c=10.1.20.29:2381, s=10.1.1.98:443] </CODE></PRE> <P><EM>access site with IE</EM></P> <PRE><CODE>2016-11-14 18:50:57 WARN [139823066740480] (SnifferReactor/PacketProcessor.cpp:515) stream.SnifferReactor - SSL decryption error (session keys not found - did not capture beginning of SSL session?) (ssl) [c=10.1.20.29:2385, s=10.1.1.98:443] </CODE></PRE> <P>Anyone can help? <BR /> Thanks</P> Mon, 14 Nov 2016 09:56:07 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227637#M6441 alviszhang 2016-11-14T09:56:07Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227638#M6442 <P>Hi @alviszhang,</P> <P>tl;dr: usually you need to fully restart the browsers (as in terminating the chrome/IE/etc. processes, not just closing the window(s))</P> <P>TLS standard provides ways for faster renegotiation of the subsequent SSL sessions between the same client/server pair using parts of the original session's state. If Stream caches this information, it can decrypt the subsequent renegotiations; however if this information was exchanged before Stream started listening to the traffic, there's nothing much Stream (or any other tool for that matter) can do do decrypt the session. </P> Mon, 14 Nov 2016 23:34:05 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227638#M6442 vshcherbakov_sp 2016-11-14T23:34:05Z https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227639#M6443 <P>Thanks very much!</P> Tue, 15 Nov 2016 06:31:42 GMT https://community.splunk.com/t5/Security/streamfwd-SSL-decryption-session-keys-not-found/m-p/227639#M6443 alviszhang 2016-11-15T06:31:42Z