This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot decrypt SSL stream

0

Using Wireshark 1.6.1 on Win 7 x64.

I am trying to get the decrypted stream from a client/server interaction (the "server" is actually IIS/SQL Server 2005), but I am not having success with the decryption. Following is the SSL Debug File - thanks for any assistance.


Private key imported: KeyID 1c:52:0e:11:b5:11:20:19:0d:1d:66:d6:85:7a:e4:12:...
ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '444' filename 'c:\ws088.pem' password(only for p12 file) ''
ssl_init private key file c:\ws088.pem successfully loaded.
association_add TCP port 444 protocol tcp handle 00000000050F98C0

dissect_ssl enter frame #7 (first time) ssl_session_init: initializing ptr 00000000066F2460 size 680 conversation = 00000000066F2200, ssl_session = 00000000066F2460 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record found version 0x0301 -> state 0x10 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 64, ssl state 0x10 association_find: TCP port 443 found 0000000005836E30 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #10 (first time) conversation = 00000000066F2200, ssl_session = 00000000066F2460 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 64, ssl state 0x10 association_find: TCP port 61659 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #11 (first time) conversation = 00000000066F2200, ssl_session = 00000000066F2460 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32, ssl state 0x10 association_find: TCP port 61659 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #10 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #11 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #17 (first time) ssl_session_init: initializing ptr 00000000066F3440 size 680 conversation = 00000000066F31E0, ssl_session = 00000000066F3440 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record found version 0x0301 -> state 0x10 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 608, ssl state 0x10 association_find: TCP port 50284 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #47 (first time) conversation = 00000000066F31E0, ssl_session = 00000000066F3440 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 2784, ssl state 0x10 association_find: TCP port 444 found 0000000005B709C0 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #47 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #17 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #7 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #7 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #10 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #11 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #17 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #47 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #7 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #47 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #7 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #10 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #11 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #17 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #47 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #47 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #17 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #7 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #10 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #11 (already visited) conversation = 00000000066F2200, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 23 association_find: TCP port 61659 found 0000000000000000 association_find: TCP port 443 found 0000000005836E30

dissect_ssl enter frame #17 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #47 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2789 dissect_ssl3_record: content_type 23 association_find: TCP port 444 found 0000000005B709C0

dissect_ssl enter frame #17 (already visited) conversation = 00000000066F31E0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 association_find: TCP port 50284 found 0000000000000000 association_find: TCP port 444 found 0000000005B709C0


asked 19 Aug ‘11, 13:49

cgtyoder's gravatar image

cgtyoder
11224
accept rate: 0%

Forgot to say - I am running Wireshark on the “server;” the SSL port is 444. The SSL cert is actually not valid (it is expired) - would that make a difference? Also, does the SSL Decrypt Profile IP address need to match the cert or anything like that?

(19 Aug ‘11, 14:10) cgtyoder


One Answer:

2

The SSL debug log shows that you started to capture while the SSL handshake had already taken place. To be able to decrypt SSL traffic, you need to capture the full SSL handshake. The best way to accomplish this is to start capturing before you start your browser (close the browser completely before starting the capture).

Have a look at slides of the presentation I gave at Sharkfest'09 about troubleshooting SSL with Wireshark (or watch the video at LoveMyTool)

answered 19 Aug '11, 14:26

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I actually am not calling this from a browser, but from soapUI, a SOAP debugging tool. I will try to restart that (on Monday at the office) and see if that makes a difference.

(19 Aug '11, 17:35) cgtyoder
1

That did it - I just had to trace from the start of the soapUI connection. Thanks much for the assistance.

(22 Aug '11, 06:50) cgtyoder