How can I decode SIP/TLS (non default SIPS port) packets through Wireshark?

Question

I use a SIP server that listens over port 5070 for SIP/TLS requests. I'm trying to trace and analyze why my dialer is not registering over the network through Wireshark.

I've edited all the needed fields in Wireshark's preferences, added the server's private key, edited the SIP TCP and TLS ports (which are 5070 not 5061), and all I'm getting now clearly is the TLS Client Hello and Server responses, but no SIP is showing up, just TCP SYNs and ACKs.

I've searched and tried everything possible, but to no avail - any help would be highly appreciated.

Thanks in advance.

//M

Answer 1

Is the TLS session using a cipher suite with perfect forward secrecy? If that is the case, Wireshark cannot decrypt TLS even with the server private key. Check the cipher suite selected by the server in the ServerHello message for the substring EDH or EECDH, in which case perfect forward secrecy is used. You will have do configure the cipher suites in either the client or the server to not use any EDH and EECDH suites. With OpenSSL, use a cipher suite setting of ALL:-EDH:-EECDH or similar.

With perfect forward secrecy, the client and the server will agree on a shared session key using Diffie-Hellman (DH); the server private key is only used for signing. Without perfect forward secrecy, the shared key is encrypted with the server's public key by the client, and thus can be decrypted by the server (and Wireshark) using the server's private key (assuming the server uses an RSA key).