OSQA is unmaintained. Help us figure out where to go from here.
5
3

Hello I'm debugging my SSL application and would be great if I could capture SSL stream using Wireshark and then follow it decrypted. It is not possible to obtain server's private key in my case

But as a client application I can read the whole stream fine and can dump all needed information for decryption, like Session-ID and Master-key, ex:

> openssl s_client -connect mail.google.com:443 -ssl3

Loading 'screen' into random state - done
CONNECTED(00000180)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIQHxn23jXdY6FCkYrVLMCrEjANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
MTEyMTgyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw
FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANknyBHye+RFyUa2Y3WDsXd+F0GJgDjxRSegPNnoqABL2QfQut7t9CymrNwn
E+wMwaaZF0LmjSfSgRSwS4L6ssXQuyBZYiijlrVh9nbBbUbS/brGDz3RyXeaWDP2
BnYyrVFfKV9u+BKLrebFCDmzQ0OpW5Ed1+PPUd91WY6NgKtTAgMBAAGjgecwgeQw
DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0
ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF
BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0
cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3
dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF
BQADgYEAicju7fexy+yRP2drx57Tcqo+BElR1CiHNZ1nhPmS9QSZaudDA8jy25IP
VWvjEgaq13Hro0Hg32ZNVK53qcXwjWtnCAReojvNwj6/x1Ciq5B6D7E6eiYDSfXJ
8/a2vR5IbgY89nq+wuHaA6vspH6vNR848xO3z1PQ7BrIjnYQ1A0=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1797 bytes and written 296 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-SHA
    Session-ID: B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26
    Session-ID-ctx:
    Master-Key: 454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4
    Key-Arg   : None
    Start Time: 1306318364
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Is it possible somehow to follow decrypted stream in Wireshark without server's private key but having client's Master-Key and Session-ID?

asked 25 May '11, 03:22

tosiara's gravatar image

tosiara
81235
accept rate: 0%


OK, forget my last answer... as of today, it is possible to use the "openssl s_client" output to do decryption. I added this to the keylog option that was already there. You can now use the format:

RSA Session-ID:xxxx Master-Key:xxxx

In the key log file to decrypt the session. In your case that would be:

RSA Session-ID:B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26 Master-Key:454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4

You will need to build your own version from "trunk" or use an automated build which will be available in a couple of hours. Please use a version with a number higher or equal to 37401.

I hope this works for you :-)

link

answered 25 May '11, 14:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.0k957244
accept rate: 20%

Great, that works!!! Thank you very much!

Only one small note: if keylog file does not contain trailing CRLF I receive this error:

trying to use SSL keylog in c:\rsa.log checking keylog line: RSA Session-ID:451C00005EC950112D2156C2FDC29BB71A3CA320CEE28FC2DA786AD6F5E5102E Master-Key:DD81A0D7D526740CDEB1AB6DE421102F52C781547A06F6A6480D6055846BB7FFB8CCBCB09FC1A38CC4610135F0F17C4 line contains non-hex chars in master secret

But after adding CRLF at the end - all works perfect!

(26 May '11, 03:22) tosiara

I'm glad it works for you too :-)

Indeed the code requires all lines to be terminated with a newline character.

(26 May '11, 04:59) SYN-bit ♦♦

Although the s_client shows a Session-ID, this will be useless if it is not sent to the server (Session-ID 0 in the capture). You can still try to match a known master key with a request using CLIENT_RANDOM by looking at the traffic. See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9144#c5 for parsing s_client output to generate a CLIENT_RANDOM line.

(14 Sep '13, 10:57) Lekensteyn

At the moment "No, not directly". There has been code added that reads in a file with a list of decrypted PreMasterSecrets, indexed by the first 8 bytes (IIRC) of the Encrypted PreMasterSecret. It has been added by a developer that also added a debug option to the SSL library of Firefox/Chrome to export this data (see Bug 4349)

So at the moment, you might be able to fabricate the file yourself based on the tracefile and the "openssl s_client" output. In the future there might be more options added to import/export session keys to make decryption possible without obtaining (or exposing) the private key.

link

answered 25 May '11, 07:15

SYN-bit's gravatar image

SYN-bit ♦♦
17.0k957244
accept rate: 20%

I'm glad you knew this SYN..my knee-jerk reaction to this question was "No - never". It makes sense that this would be possible, but considering the work necessary on the user end I figured it would never be an option.

(25 May '11, 08:16) GeonJay

I'm sorry, the route of creating a keylog file yourself based on the openssl s_client output won't work. I just tried it myself, but the input from the key-log file is a PreMasterSecret, while the output of openssl s_cient is the MasterSecret.

I need to dig into SSL some more again to see whether the MasterSecret contains enough information to decrypt the session. If it does, then it is possible to extend the decryption engine to also take the MasterSecret from the s_client output. But someone needs to find the time to code it...

(25 May '11, 09:28) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×300
×157

Asked: 25 May '11, 03:22

Seen: 30,826 times

Last updated: 14 Sep '13, 10:57

p​o​w​e​r​e​d by O​S​Q​A