I'm using wireshark to inspect and hopefully decrypt a connection; the encrypted protocol details aren't known. I've set up SSL decryption as instructed at http://wiki.wireshark.org/SSL, but I'm not sure how significant the specification of the embedded protocol is. I tried something like:

x.x.x.x,4001,Data,c:cp.pem or x.x.x.x,4001,http,c:cp.pem

but in both cases wireshark doesn't show me any decrypted data.

I logged to the SSL debug file, below...

ssl_association_remove removing TCP 0 - http handle 044D9EA0
ssl_init keys string:
x.x.x.x,25472,http,c:\cp.pem
ssl_init found host entry x.x.x.x,25472,http,c:\cp.pem
ssl_init addr 'x.x.x.x' port '25472' filename 'c:\cp.pem' password(only for p12 file) '(null)'
Private key imported: KeyID ef:bc:76:41:d5:1b:8d:a4:c1:0a:fa:80:a1:05:bc:30:...
ssl_init private key file c:\cp.pem successfully loaded
association_add TCP port 25472 protocol http handle 044D9EA0

dissect_ssl enter frame #1 (first time)
ssl_session_init: initializing ptr 06161A30 size 584
  conversation = 06161868, ssl_session = 06161A30
  record: offset = 0, reported_length_remaining = 1

dissect_ssl enter frame #3 (first time)
  conversation = 06161868, ssl_session = 06161A30
  record: offset = 0, reported_length_remaining = 106
dissect_ssl3_record found version 0x0300 -> state 0x10
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010
  record: offset = 37, reported_length_remaining = 69
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 64, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010

dissect_ssl enter frame #4 (first time)
  conversation = 06161868, ssl_session = 06161A30
  record: offset = 0, reported_length_remaining = 1
  need_desegmentation: offset = 0, reported_length_remaining = 1

dissect_ssl enter frame #6 (first time)
  conversation = 06161868, ssl_session = 06161A30
  record: offset = 0, reported_length_remaining = 106
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010
  record: offset = 37, reported_length_remaining = 69
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 64, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010

dissect_ssl enter frame #14 (first time)
ssl_session_init: initializing ptr 0616259C size 584
  conversation = 06162258, ssl_session = 0616259C
  record: offset = 0, reported_length_remaining = 72
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 67, ssl state 0x00
association_find: TCP port 55148 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 63 bytes, remaining 72 
packet_from_server: is from server - FALSE
ssl_find_private_key server x.x.x.x:25472
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #27 (first time)
  conversation = 06162258, ssl_session = 0616259C
  record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0035 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
  record: offset = 79, reported_length_remaining = 1381
  need_desegmentation: offset = 79, reported_length_remaining = 1381

dissect_ssl enter frame #28 (first time)
  conversation = 06162258, ssl_session = 0616259C
  record: offset = 0, reported_length_remaining = 1877
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 1854, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1850 bytes, remaining 1859 
  record: offset = 1859, reported_length_remaining = 18
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 13, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1864 length 5 bytes, remaining 1877 
dissect_ssl3_handshake iteration 0 type 14 offset 1873 length 0 bytes, remaining 1877

dissect_ssl enter frame #30 (first time)
  conversation = 06162258, ssl_session = 0616259C
  record: offset = 0, reported_length_remaining = 1460
  need_desegmentation: offset = 0, reported_length_remaining = 1460

dissect_ssl enter frame #31 (first time)
  conversation = 06162258, ssl_session = 0616259C
  record: offset = 0, reported_length_remaining = 2498
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 1886, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1882 bytes, remaining 1891 
  record: offset = 1891, reported_length_remaining = 607
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 260, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 1896 length 256 bytes, remaining 2156 
pre master encrypted[256]:
97 09 d7 2f d8 da 1d 3f 60 55 d5 fa 95 e0 1b 94 
dd f6 48 4b 0c 82 aa 2f f2 b0 5e 7d a0 60 b8 2c 
30 54 4d 26 d1 a8 3a fc 00 87 fa bd a3 0e 73 b0 
35 34 65 09 30 8b 60 67 77 5a 24 76 9b 12 d1 91 
75 80 f9 09 af f3 1c 24 64 df d1 43 10 90 63 b6 
44 3c 03 0d a5 81 6d 3f 29 7f 25 0e 19 83 f8 5e 
25 9e 6c c1 f8 18 25 ab f0 7e e8 aa 50 29 22 1a 
94 bf 32 f2 a3 4f a9 44 6e 96 10 13 c7 31 7e 7a 
cc d2 6d e6 f2 24 ee 59 d9 bf 08 86 2f fe 2d 79 
6a 94 0c 51 65 75 f6 ec 1d 18 bd 8f c7 90 ec d9 
08 f5 f6 a7 9e 56 42 8f 28 7e 4c c1 00 d4 0e 34 
6d 60 7c 74 33 09 2f d9 74 d2 e5 32 b0 ae ce 25 
f3 eb 55 78 e9 c5 e9 61 64 89 9b f3 5d 62 aa 1c 
88 6a 6d 30 71 1c 1b 17 00 42 6b 12 9b 0f 56 90 
5f d7 98 5e a6 27 94 2a 25 ab 95 3c d2 ec 5f 07 
1e dd ee 8c e6 ae 8d e2 c7 da 84 06 14 49 1c c2 
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 211 bytes, decr_len 256
decrypted_unstrip_pre_master[256]:
03 1f 7d de 96 11 d5 0e ee 86 c6 87 b8 d8 44 69 
61 06 d3 1f 36 57 87 22 58 60 3f b5 08 e9 37 6e 
08 15 39 e1 9b d8 24 b2 b7 61 c3 15 51 cc 2a 6b 
65 ce 89 d9 59 28 a0 f6 a9 24 70 f9 35 77 c2 07 
a1 66 49 11 0c 1c 0b 1a 4e eb ac 14 91 95 4f 77 
9f 07 45 09 cc 69 55 c3 19 9a d7 92 bc 02 45 bc 
6d 42 59 fd 7a ed c3 07 35 20 05 a3 35 3c d1 35 
03 bd a8 68 89 31 50 24 28 2f db 5f 20 26 6e 0d 
82 6d 93 fe b3 c1 fb b4 4d 9d 3a 8c 9e d1 5b 81 
19 8a 93 16 ab 6e 6f 56 59 cb 99 14 46 6d 1a 18 
0b 72 a7 c7 cd f7 6c 62 42 b5 bb d5 6c 65 0a 19 
0e 44 38 b7 03 90 07 c9 2b 81 a1 03 4f 55 fa ec 
71 ec 70 c6 76 0d 80 36 6d 88 06 88 8c 45 83 6d 
72 77 00 5b fc 83 fd 54 75 32 b8 99 89 6e c5 02 
f4 12 67 2a 4e ba 0d 09 63 f5 f7 5b 54 f1 6d 87 
21 ea 25 a0 8f 24 1b 6a 0a c7 7c 72 74 6f a8 65 
ssl_decrypt_pre_master_secret wrong pre_master_secret length (45, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 2156, reported_length_remaining = 342
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 15 offset 2161 length 258 bytes, remaining 2423 
  record: offset = 2423, reported_length_remaining = 75
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 2429, reported_length_remaining = 69
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 64, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 6 offset 2434 length 4099005 bytes, remaining 2498

(rest of ssl debug output deleted by SYNbit to enhance readability)

asked 17 Dec '10, 11:59

dwhsix's gravatar image

dwhsix
1113
accept rate: 0%

edited 18 Dec '10, 00:50

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217


If the protocol that is encrypted by SSL is unknown, it's best to use the "data" dissector. The ssl keys list will become something like:

1.1.1.1,1234,data,/tmp/server.key

Regarding your session not being decrypted, it looks like the private key does not match the certificate. This is a usual cause for the following extract from your ssl-debug log:

ssl_decrypt_pre_master_secret wrong pre_master_secret length (45, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret

Please have a look at the presentation (powerpoint or video) I gave at Sharkfest'09 about troubleshooting SSL for further information.

link

answered 17 Dec '10, 13:47

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

Yeah, I suspect that's probably the case and I wondered if that's what that debug entry meant.

A little puzzled, because I'm pretty sure it's the correct private key. But obviously not... I'll dig a little more.

Thanks!

(17 Dec '10, 13:54) dwhsix

In my presentation I show how you can check if the two match... :-)

(17 Dec '10, 17:00) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×163

Asked: 17 Dec '10, 11:59

Seen: 9,068 times

Last updated: 18 Dec '10, 00:50

powered by OSQA