I have been playing with decoding SSL, in Wireshark/Tshark between version 1.0-1.9 (what ships with CentOS 5 and what I could build on CentOS 6). Apart from plain finger trouble and trying to get the correct SSL key format in ~/.wireshark/ for different versions of Wireshark, and not realizing that the decrypted data appears in an initially hidden pane rather than where it would normally appear in a non-SSL, I notice decryption only works for some ciphers. I was using "openssl s_client -cipher xxx" to force a particular choice, talking to OpenSSL POPS/IMAPS/IMAP(STARTTLS) and Apache. I realize that Diffie-Hellman is unsupported, but I could only decrypt some of the other ciphers. E.g. the export-grade ciphers EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5 fail to decrypt, as do any SSLv2 ciphers. I wondered if I am still missing something obvious, or whether that's just a limit on what's possible. E.g. with version 1.6, # tshark -V -o ssl.keys_list:192.168.5.6,993,imap.private.key host 192.168.5.6 $ echo 0 logout | openssl s_client -cipher EXP-RC4-MD5 -tls1 -connect 192.168.5.6:993 asked 05 Nov '12, 15:04  adaviel |
One Answer:
Did you check the SSL debug log of Wireshark? If you find the following message (or a similar one), the cipher suite you tried to decrypt is not supported.
Regards answered 06 Nov '12, 01:01  Kurt Knochner ♦ |
I see that message (can't find cipher) for the Diffie-Hellman ciphers DHE-RSA-AES256-SHA, EDH-RSA-DES-CBC3-SHA but not for the others. For EXP-RC4-MD5 I see e.g.
I tried it myself. Indeed it does not work.
I also tried to use the pre-master secret file (output of openssl s_client), but that does not work either (error messages).
I'm trying to figure out what's going wrong. That can take some time....