Decrypt ssl socket JSON-RPC: decrypt_ssl3_record: no decoder available

asked 2018-07-31 12:17:24 +0000

updated 2018-07-31 12:22:45 +0000

grahamb gravatar image

A client first requests the server's public key and then connects using a TLC socket with JSON-RPC.

I wish to view the JSON-RPC data at the server in ASCII format. Ideally I would capture and decrypt the data on the headless server using tshark and move the pcap file to another machine which has Wireshark.

First of all, is this possible? If so, how can I do it? If not, any alternate approaches such as copying the server's private key to the other machine (not ideal), viewing the results on the headless machine, etc?

I have tried (among other things) the following:

tshark -w /home/michael/ssltest.pcap -P -f "port 1337" -d tcp.port==1337,ssl -o "ssl.keys_list:127.0.0.1,1337,data,/etc/pki/tls/private/privatekey.pem" -o "ssl.debug_file:/home/michael/ssldebug.log" -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -i eno16780032

In my log, I see the following: Error: decrypt_ssl3_record: no decoder available. https://osqa-ask.wireshark.org/questi... states that it results from using the DiffieHellman cipher, but this does not appear to be the case for me.

Also, I have broken down the above command and would appreciate some answers to a few questions:

tshark

    # Can tshark write decrypted data to a pcap file?  https://osqa-ask.wireshark.org/questions/3310/ssl-decrypt-to-file suggests it cannot.
    -w /home/michael/ssltest.pcap -P

    #Locate before -i to capture filter instead of read filter?
    -f "port 1337"

    #Is this necessary? Does it treat all traffic on port 1337 as ssl?
    -d tcp.port==1337,ssl

    #can privatekey.pem be either just private key or concatenated certificate/private key?  https://wiki.wireshark.org/SSL suggests private only, but log for either appears to be the same.  https://securityweekly.com/2010/10/15/tsharkwireshark-ssl-decryption/ states that it should be in PKCS#1 format — BEGIN RSA PRIVATE KEY—' but mine is '-----BEGIN PRIVATE KEY-----' which might be in PKCS#8 format however, I don't get an 'unable to load PEM' error.
    -o "ssl.keys_list:127.0.0.1,1337,data,/etc/pki/tls/private/privatekey.pem"

    # What do these two lines do?
    -o "ssl.desegment_ssl_records: TRUE"
    -o "ssl.desegment_ssl_application_data: TRUE"

    -o "ssl.debug_file:/home/michael/ssldebug.log"

    -i eno16780032

Thank you!

[[email protected] ~]$ cat ssldebug.log | more
Wireshark SSL debug log

Private key imported: KeyID a7:36:b7:b7:e1:bf:48:13:de:87:5d:7d:59:35:7e:36:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '1337' filename '/etc/pki/tls/private/privatekey.pem' password(only for p12 file) ''
ssl_init private key file /etc/pki/tls/private/privatekey.pem successfully loaded.
association_add TCP port 1337 protocol data handle 0x55a20922ab20

dissect_ssl enter frame #1 (first time)
ssl_session_init: initializing ptr 0x7f9322ff9010 size 696
  conversation = 0x7f9322ff8ce8, ssl_session = 0x7f9322ff9010
  record: offset = 0, reported_length_remaining = 94
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 89 ...
(more)
edit retag flag offensive close merge delete