1

Given:

  • We start a Jenkins instance on a Windows host as a Service. It looks like the server is correctly configured (--httpPort=-1 --httpsPort=8080 etc) and has an own key store. There is no proxy in front.

  • The server uses a certificate (A) that is derived from a self-signed one (B). The self-signed certificate (B) is also present in the client's Windows trust store (I've imported it).

  • Connecting from the client to the server with Chrome works and Chrome indicates that the connection is OK and secured. It correctly shows me the certificate chain.

The following confuses me: I cannot see any TLS-traffic using Wireshark.

I'm looking at the correct interface, and I've added the ssl filter. I would have expected to see a TLS handshake. Despite the non-standard port, Chrome can know that this shall be a secured session because of the scheme https.

To test that Wireshark is not the problem, googling to e.g. stackoverflow.com and I'm seeing lots of packets with Protocol TLSv1.2 to the internet proxy.

I'm not aware that Jenkins is using STARTTLS. Chrome is sending the CSP header Upgrade-Insecure-Requests:1 that seems to be superfluous, because this should be a secure connection anyway.

OMmckEOfZfsrveesDzMt
  • 13
  • 3
  • Chrome sees the scheme `https` but Wireshark doesn't; Wireshark only sees the port and port 8080 is not standardly HTTPS or any other SSL. Rightclick on a message in the list pane, DecodeAs, adjust the selection to port 8080 and change the rightmost entry/column to SSL (which also covers TLS). Crossdupe https://stackoverflow.com/questions/41372311/apache-httpclient-with-tls-but-can-not-catch-tls-packet-in-wireshark – dave_thompson_085 Feb 01 '18 at 01:20
  • @dave_thompson_085 Yes, this is correct. I can't upvote comments, I can't upvote answers. I somehow assumed that Wireshark can automatically detect TLS traffic and decode it as far as possible, but it seems they decided to not show anything that it is not configured to do. – OMmckEOfZfsrveesDzMt Feb 01 '18 at 07:18
  • @camp0 the previous comment is meant to address you also. SO does not allow to notify more than one user within one comment. – OMmckEOfZfsrveesDzMt Feb 01 '18 at 07:21

1 Answers1

1

Some versions of Wireshark have the SSL decoder just on port 443, so I was wondering that if your Jenkins SSL traffic is on port 8080 may be that is the reason. If is not may be you can upload the pcap file so people could determine better the problem

camp0
  • 2,172
  • 1
  • 10
  • 10