This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem viewing unencrypting SSL packet

0

I've followed the guides etc, but no luck.

Here is the log:

ssl_association_remove removing TCP 8443 - http handle 0000000003DC0F70
Private key imported: KeyID ea:a4:54:89:95:d5:9e:3b:41:fa:21:22:0c:e3:12:14:...
ssl_init IPv4 addr '10.10.1.58' (10.10.1.58) port '8443' filename 'C:\applications\keys\foo2.pkf' password(only for p12 file) ''
ssl_init private key file C:\applications\keys\foo2.pkf successfully loaded.
association_add TCP port 8443 protocol http handle 0000000003DC0F70

dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 0000000005891D30 size 680 conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 165 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 160, ssl state 0x00 association_find: TCP port 52160 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 156 bytes, remaining 165 packet_from_server: is from server - FALSE ssl_find_private_key server 10.10.1.58:8443 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #5 (first time) conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 1320 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 1315, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 1320 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC011 dissect_ssl3_handshake iteration 0 type 11 offset 86 length 895 bytes, remaining 1320 dissect_ssl3_handshake iteration 0 type 12 offset 985 length 327 bytes, remaining 1320 dissect_ssl3_handshake iteration 0 type 14 offset 1316 length 0 bytes, remaining 1320

dissect_ssl enter frame #6 (first time) conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 122 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 70, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 dissect_ssl3_handshake wrong encrypted length (16644 max 66) record: offset = 75, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 81, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 36, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 25 offset 86 length 12940900 bytes, remaining 122

dissect_ssl enter frame #7 (first time) conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER

dissect_ssl enter frame #8 (first time) conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 36, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 55 offset 5 length 4474236 bytes, remaining 41

dissect_ssl enter frame #10 (first time) conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 328 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 323, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 52160 found 0000000000000000 association_find: TCP port 8443 found 0000000004C71780

dissect_ssl enter frame #11 (first time) conversation = 0000000005891880, ssl_session = 0000000005891D30 record: offset = 0, reported_length_remaining = 618 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 613, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 8443 found 0000000004C71780

dissect_ssl enter frame #4 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 165 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 1 offset 5 length 156 bytes, remaining 165

dissect_ssl enter frame #5 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1320 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 1320 dissect_ssl3_handshake iteration 0 type 11 offset 86 length 895 bytes, remaining 1320 dissect_ssl3_handshake iteration 0 type 12 offset 985 length 327 bytes, remaining 1320 dissect_ssl3_handshake iteration 0 type 14 offset 1316 length 0 bytes, remaining 1320

dissect_ssl enter frame #6 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 122 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 record: offset = 75, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec record: offset = 81, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 25 offset 86 length 12940900 bytes, remaining 122

dissect_ssl enter frame #7 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec

dissect_ssl enter frame #8 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 55 offset 5 length 4474236 bytes, remaining 41

dissect_ssl enter frame #10 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 328 dissect_ssl3_record: content_type 23 association_find: TCP port 52160 found 0000000000000000 association_find: TCP port 8443 found 0000000004C71780

dissect_ssl enter frame #11 (already visited) conversation = 0000000005891880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 618 dissect_ssl3_record: content_type 23 association_find: TCP port 8443 found 0000000004C71780

asked 08 Jun ‘12, 16:15

Darren's gravatar image

Darren
1112
accept rate: 0%

edited 08 Jun ‘12, 18:03

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


One Answer:

1

The chosen cipher 0xC011 (TLS_ECDHE_RSA_WITH_RC4_128_SHA) is using a DiffieHellman key exchange. It is not possible to decrypt these sessions as the session keys are transferred with randomly generated keys, rather than the servers private key.

Please limit the accepted cipher list on either the client or the server to non-DH ciphers if you want to do decryption.

answered 08 Jun '12, 18:10

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Excellent! I configured firefox to not use any DH cipher suites, and it all sprang into life :) It is now using: Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

(09 Jun '12, 02:42) Darren