This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t decrypt ssl in capture from windump

0

having trouble decrypting ssl; I am trying to analyze a capture file created by windump.

Someone else had a similar question, and the response was to check three things: a) private key b) ssl handshake c) encryption type

I have exported the server cert, converted to pem and separated out the private key. In the file, it says 'rsa', and there is no reference to 'ephemeral'

I think i'm getting the full session... the ssl handshake looks like: ..."ClientHello" ..."Server Hello, Certificat, Server Hello Done ..."Client Key Exchange ..."Change Cipher Spec ..."Encrypted Handshake message ..."Change Cipher Spec, Encrypted Handshake message ..."Client Key Exchange ..."Change Cipher Spec ..."Encrypted Handshake Message ..."Change Cipher Spec, Encrypted Handshake Message ..."Application Data

the application data packet at the end is still encrypted

The only thing left is to try to figure out if wireshark likes the key i provided it...

some questions: - i see some references to an 'ssl debug file'. How do you configure this? In preferences/protocols/ssl you can browse for a file, but i notice that you can only specify files that already exist.

I created a file, and specified it, but the file is always zero length.

  • a lot of the packets are showing red ("Bad Checksum"). Is this a problem?

  • the trace destination ip is not the same as what is returned by "nslookup SITENAME". When configuring at preferences/protocols/ssl/RSA keys list, should I use the ip returned by nslookup, or the ip that that shows up as the destination in the trace? I've tried both IPs, as well as 0.0.0.0.

any insight would be appreciated...

asked 16 Dec '13, 04:19

dmc_lat47's gravatar image

dmc_lat47
11224
accept rate: 0%

so.. if anyone could tell me how to get the ssl debug log going, that would at least give me one more thing to look at...

thanks in advance...

(16 Dec '13, 11:01) dmc_lat47

2 Answers:

1

How do you configure this? In preferences/protocols/ssl you can browse for a file, but i notice that you can only specify files that already exist. I created a file, and specified it, but the file is always zero length.

The file selection dialog behaves kind of strange sometimes. It's probably better to just paste the full path of the file to the field SSL debug file

if anyone could tell me how to get the ssl debug log going

The only thing you need to do is to specify the debug log. Then close Wireshark, empty or delete the file and restart Wireshark. The file will then be filled with debug messages, if the user that runs Wireshark has enough rights to create the file and to write to it, as Wireshark will run in the user context. If that does not happen on your system, please add the following information

  • OS and OS version
  • Wireshark version
  • full path to the debug file

a lot of the packets are showing red ("Bad Checksum"). Is this a problem?

No. That's most certainly due to checksum offloading, as you were capturing on the server itself.

should I use the ip returned by nslookup, or the ip that that shows up as the destination in the trace?

Of course the IP in the trace file. That's the only one Wireshark can see.

How is the ssl debug log configured? Will the log be written to when wire shark is analyzing a trace file,

Yes. see above.

Then i converted the pem, and placed the rsa private key portion into a separate file.

The key file should look like this:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC8/gQ2y24WaJuuoF4cAibeqLOU7JnkeX21ozjVe7tpeT1ZqSMc
gRLUGAGquCmIT7XipvWLfll7itGGiCMTXdAqNPgiWvxdNVhMh8W/vlv7xTdnbquY
... some lines ....
BMb1winyNNcTHu1vLScCQQCrYa+AfS879mK+L3kFXrliXnJ5+4uBsY55dUQc8j97
CKuarIR9Pb4OAE1mAg6SIWoXOaIp0XmFtXtohBmav3ex
-----END RSA PRIVATE KEY-----

If you see the following (or similar) lines in the key file

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,530703DFD90796F4

kEa20CNx8Pn5zw2sq/UtI5BFk0IlXImzDzdh9Mlv8LdIHwz67rtwQTDstJf9Wucj

then your exported key is encrypted and you must give Wireshark the passphrase for the key.

Edit -> Preferences -> Protocols -> SSL -> RSA Key List –> Password: within the key entry.

If the key is not encrypted and it still does not work, the following ‘problem’ occurs sometimes:

Your SSL/TLS connection is using a cipher that cannot be decrypted with only the RSA key of the server. That’s all ciphers with DH in the name (Diffie Hellman). The ssl debug log will show the cipher used, as well as Wireshark itself, by looking at the SSL handshake.

Add a custom column in the GUI with the following field, to view the negotiated cipher suite.

ssl.handshake.ciphersuite

If the connection is using a DH cipher, you need to SSL session keys, exported by your client. See here:

https://developer.mozilla.org/en-US/docs/NSS_Key_Log_Format https://www.google.com/?q=site%3Aask.wireshark.org+SSLKEYLOGFILE+ http://wiki.wireshark.org/SSL

Read the questions and answers about using the RSA key log file generated by a browser (by using the environment variable SSLKEYLOGFILE).

Finally, try to decrypt a SSL session that is known to work.

http://wiki.wireshark.org/SampleCaptures#SSL_with_decryption_keys

Regards
Kurt

answered 18 Dec ‘13, 03:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

thanks so much for the help!!!

The ssl debug log revealed that i wasn’t using the right key.

Now i’ve another problem, but that’s the subject of another post.

(18 Dec ‘13, 23:27) dmc_lat47

Good.

Hint: If a supplied answer resolves your question can you please “accept” it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(18 Dec ‘13, 23:47) Kurt Knochner ♦

0

"I have exported the server cert, converted to pem and separated out the private key."

Hm, if that was possible all it would take to decrypt a SSL/TLS session would be to trace the negotiation .
The private key is not sent during negotiation, that is kept at the server. So unless you are given the private key by the server's administrator, there is no way to decrypt the traffic.

answered 17 Dec '13, 22:08

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

thanks for your response.

hmm... well, though not it's not something i do well, i am what passes for the server admin on this machine. I used mmc to export the certificate, and made sure to include the private key. Then i converted the pem, and placed the rsa private key portion into a separate file.

How is the ssl debug log configured? Will the log be written to when wire shark is analyzing a trace file, or does wire shark need to be run live on the server? (in order to minimize the amount of software installed there, i installed only windump, and copy over the capture files to analyze on a separate machine running wireshark).

(18 Dec '13, 00:10) dmc_lat47