How to read SSL/TLS Encrypted Alert code under Ephemeral RSA

Question

I am trying to debug SSL Encrypted Alerts on my web server. I am not sure what the problem is and things appear to be working, but I am seeing many TLSv1 Encrypted Alerts in Wireshark that I feel should not be there.

The TLSv1 alert protocol (http://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol) provides error codes indicating what is wrong, unfortunately this code is encrypted.

Wireshark allows the SSL to be decrypted by providing the private key (which I have) in the SSL preferences page. However this does not work for me due to the session being setup with Ephemeral RSA (Sharkfest'09 http://sharkfest.wireshark.org/sharkfest.12/presentations/MB-1_SSL_Troubleshooting_with%20_Wireshark_Software.pdf page 59).

I want to know how I can read this alert code. Any of the following will get me there:
a) Have Wireshark decrypt SSL using Ephemeral RSA
b) Avoid using Ephemeral RSA so Wireshark can decrypt
c) Force the SSL to use null encryption so I can just read the code to debug it

Answer 1

b) Avoid using Ephemeral RSA so Wireshark can decrypt

If you web server is Apache, try the following:

httpd.conf

SSLProtocol +all -SSLv2 -SSLv3
SSLCipherSuite -kEECDH:-kEDH:+kRSA:+HIGH:+MEDIUM:-LOW:-EXP

c) Force the SSL to use null encryption so I can just read the code to debug it

This might be a little trickier, but try moving eNULL to the front of the list. eNULL will probably be rejected by the client, but its worth a try. I suspect it will be rejected because the client won't allow the cipher (or aNULL, for that matter).

If the client does have eNULL, it still might not be used. The server usually honors the client's ciphers, so unless the client requests eNull, then you will have to find an override on the server configuration.