Wireshark is a powerful tool for understanding or troubleshooting TLS/SSL connections, as it allows you to capture, filter, and analyze network traffic to diagnose issues in secure communication. Here’s a high-level p guide on how to use Wireshark for TLS/SSL troubleshooting:
1. Setting up the packet capture on Cisco ISE
2. Start the BYOD onboarding process OR initiate TLS traffic
3. Open the Wireshark capture – Locate the TLS handshake process to see how the connection is being established.
Locate the TLS handshake process to see how the connection is being established. Look for key messages:
- Client Hello: The client initiates the connection and sends supported TLS versions, cipher suites, and extensions.
- Server Hello: The server responds with its chosen TLS version, cipher suite, and certificate.
- Certificate: The server sends its certificate for client verification.
- Server Key Exchange (for ephemeral key exchanges): The server provides key material for generating the session key.
Ephemeral key exchanges are cryptographic methods that generate temporary, short-lived keys for each session. In TLS/SSL connections, ephemeral key exchanges are often used to establish a secure communication channel while providing Perfect Forward Secrecy (PFS). This means that even if a private key is compromised in the future, past communications remain secure, as each session has its own unique key.
Extracting certificates from Wireshark
- Right-click on the last certificate
2. Save the certificate
3. Repeat the steps for each certificate in the chain.
In the example below, three certificates were extracted from Wireshark.
- Client Key Exchange: The client sends a portion of the key material and completes the key agreement.
- Finished Messages: Both client and server send a “Finished” message to confirm a successful handshake.