OSQA is unmaintained. Help us figure out where to go from here.

I'm trying to decrypt SSL traffic, which I've done several times before without problems. Now I'm using wireshark 1.8.3. on linux 64 bit and something gone wrong - decryption doesn't work.

I checked just everything (with great help of Sake Blok's Sharkfest'09 presentation) - private key and certificate match, I have entire session in capture file, I do not use Server Key Exchange etc.

After several hours trying I desperately created own certificate and SSL server (openssl server) - which I would expect to work, but nope, no luck.

Strange thing is that decrypting same traffic using same setup works on Window platform. The difference is here (from SSl debug log). Notice different values in "pcry_private_decrypt: stripping XXX bytes, decr_len 128", despite using exactly same data.

Windows (decryption works):

....
dissect_ssl enter frame #8 (first time)
  conversation = 0520184C, ssl_session = 05201CE8
  record: offset = 0, reported_length_remaining = 228
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 132, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128 bytes, remaining 137
pre master encrypted[128]:
6a 5e 45 15 8d 5d 98 90 d9 53 3d 88 f0 96 e3 33
d8 75 0a 12 c4 00 0f 03 60 06 21 56 ac c2 bd 06
8d 4c 30 b3 78 eb 0c 73 44 0e 79 a9 52 ed 28 fb
7f da 25 fa 8c bc 0e 58 66 9d b1 37 82 25 a2 f7
bc 3a b1 ad 08 4a 4b 98 7f bc 11 6c df 88 3d 80
ff 1b 45 97 16 6a a9 28 ff d4 45 a7 40 f9 55 f1
67 12 fb c3 a2 00 14 ae a3 dd b8 e3 9d 2c 72 10
ed 34 9a 2f 30 96 a3 a7 53 27 32 99 be 79 b3 6c
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 79 bytes, decr_len 127
decrypted_unstrip_pre_master[127]:
02 9a 17 68 3c f6 79 18 ba d7 62 7c 8c 51 a4 4a
e7 e6 fb 41 92 6d 0a f1 93 fc 16 f6 41 93 ab c9
18 8f 90 14 c3 80 0e 05 8c 44 db 83 a6 59 5e 7b
66 d1 fc 71 5e 22 2d bf eb 6f 65 6b 67 92 fa 28
02 c4 e7 79 ff 09 58 14 82 bb 66 a5 1a 50 00 03
03 2a 9f 37 ae d0 ac 15 62 bd 8b 34 dd 08 07 ae
6e a1 05 cb b1 fc 91 24 1d eb 7a f5 21 e9 89 53
22 29 d8 27 e0 ff e5 e1 c1 09 75 f4 41 c2 13
pre master secret[48]:
03 03 2a 9f 37 ae d0 ac 15 62 bd 8b 34 dd 08 07
ae 6e a1 05 cb b1 fc 91 24 1d eb 7a f5 21 e9 89
53 22 29 d8 27 e0 ff e5 e1 c1 09 75 f4 41 c2 13
......

Linux (decryption fails):

....
dissect_ssl enter frame #8 (first time)
  conversation = 0x7f8062854880, ssl_session = 0x7f8062854f38
  record: offset = 0, reported_length_remaining = 228
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 132, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128 bytes, remaining 137
pre master encrypted[128]:
6a 5e 45 15 8d 5d 98 90 d9 53 3d 88 f0 96 e3 33
d8 75 0a 12 c4 00 0f 03 60 06 21 56 ac c2 bd 06
8d 4c 30 b3 78 eb 0c 73 44 0e 79 a9 52 ed 28 fb
7f da 25 fa 8c bc 0e 58 66 9d b1 37 82 25 a2 f7
bc 3a b1 ad 08 4a 4b 98 7f bc 11 6c df 88 3d 80
ff 1b 45 97 16 6a a9 28 ff d4 45 a7 40 f9 55 f1
67 12 fb c3 a2 00 14 ae a3 dd b8 e3 9d 2c 72 10
ed 34 9a 2f 30 96 a3 a7 53 27 32 99 be 79 b3 6c
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 0 bytes, decr_len 128
decrypted_unstrip_pre_master[128]:
c1 a3 35 5c de 95 b5 c4 d6 b9 76 0f cb 6d 10 52
55 1b 71 1b 9e d4 1c 9e a4 f5 5b 27 48 9d 7b bf
98 b0 5d ce f0 42 15 4c d1 34 48 4e a1 5e 5c 48
d6 32 34 a8 54 d2 e8 7c f1 04 81 42 15 a4 f1 18
ef ae 38 c5 de 3c d7 89 3f 72 b4 13 11 4f 8b 2c
d7 6e 08 5f 1c e2 0d f1 a8 1e 7f 63 08 ba cd 11
ba e0 d3 4e 7f 9f 1f db 5c b0 f6 ef fd b8 1b c2
55 7d 8c 65 27 24 0b 3b fb 18 3b 0f 2f 12 2c 21
ssl_decrypt_pre_master_secret wrong pre_master_secret length (128, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 137, reported_length_remaining = 91
......

Any help would ve greatly appreciated.

asked 04 Oct '12, 13:23

Jurij%20Sikorsky's gravatar image

Jurij Sikorsky
1113
accept rate: 0%

edited 04 Oct '12, 13:24


Windows:

conversation = 0520184C, ssl_session = 05201CE8

Linux:

conversation = 0x7f8062854880, ssl_session = 0x7f8062854f38

If this is really the same capture file, why is there a different conversation / ssl session? Could be a bug....

Can you post the capture file (cloudshark.org) together with the private key (here)?

Regards
Kurt

permanent link

answered 08 Oct '12, 11:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.7k1037236
accept rate: 15%

Hi Kurt,

thank you for your response. I doublechecked it, and the numbers are same and it's really exactly the same capture file. Please find it here: http://cloudshark.org/captures/4a79aa3714b7

I noticed this dirrefence earlier, but didn't consider it to be a problem, because it's too short to be real ssl session ID, I thought it's some internal representation in the decoder, probably platform dependent.

Private key is too long for the comment, please find it here: http://www.sikorky.cz/ssl/privkey.pem

Please let me know your findings.

Regards,

Jurij

(08 Oct '12, 13:25) Jurij Sikorsky

All files are here: http://www.sikorky.cz/ssl/

  • capture file
  • private key
  • linux log
  • windows log
(08 Oct '12, 14:26) Jurij Sikorsky

it works on my Ubuntu 12.04. (64 Bit - VMware) - Wireshark 1.8.3!

So, what is your system? Did you compile Wireshark 1.8.3 yourself? If you downloaded somewhere, please post the link/source for that download.

(10 Oct '12, 13:29) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×316
×162

question asked: 04 Oct '12, 13:23

question was seen: 4,372 times

last updated: 10 Oct '12, 13:36

p​o​w​e​r​e​d by O​S​Q​A