This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decryption: “wrong pre_master_secret length”

0

I'm trying to decrypt an SSL session, but I'm running into some problems. When I click on "follow SSL Stream" I just get an empty window. After I enabled debug logging, I found the following messages:

pcry_private_decrypt: stripping 181 bytes, decr_len 304
ssl_decrypt_pre_master_secret wrong pre_master_secret length (123, expected 48)
ssl_generate_pre_master_secret: can't decrypt pre master secret
trying to use SSL keylog in 
failed to open SSL keylog
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 315, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec

Can someone tell me if this is the reason for the apparently empty stream? If so, how do I fix it?

I read elsewhere that this might happen if the private key used for Wireshark doesn't match the private key used by the server, but the keys are definitely identical.

This is with Wireshark 1.12.1 on Debian Jessie, linked against GnuTLS 3.3.8. I can decrypt the Snakeoil example from the Wireshark Wiki just fine.

I've uploaded the full debug log to and the traffic dump.

asked 16 May '15, 14:24

Nikratio's gravatar image

Nikratio
6113
accept rate: 0%

edited 17 May '15, 08:53

What is your OS and which version and what is your Wireshark version? Did you try the snakeoil files with it?

(17 May '15, 02:34) Jaap ♦

please add the whole SSL debug log!

(17 May '15, 06:04) Kurt Knochner ♦

@Jaap, @KurtKnochner I've added the missing information.

(17 May '15, 08:50) Nikratio

@Kurt I've added the full debug log.

(17 May '15, 09:53) Nikratio

"decrypt_ssl3_record: no decoder available" is a much more worrying statement. This means there's relevant info missing for decryption. What if you replace the ebox.rath.org.key port 0 registration with port 143?

(17 May '15, 11:49) Jaap ♦

@Jaap: There is no port 0 registration, only one for "start_tls" and one for "993". If I change the one for 993 to 143, the "no decoder available" message persists (this is an imap stream to port 143 using starttls).

(17 May '15, 15:17) Nikratio

The SSL debug log says there is, the first one?

For these kinds of problems I usually refer back to the SharkFest presentation by Sake Blok, maybe that can be of help?

(17 May '15, 22:51) Jaap ♦
showing 5 of 7 show 2 more comments

One Answer:

0

I read elsewhere that this might happen if the private key used for Wireshark doesn't match the private key used by the server, but the keys are definitely identical.

There are two keys available for your server. One for HTTPS (www.domain.org) and one for IMAP STARTLS (ebox.domain.org). I found the URLs in the debug log and in the capture file, so I accessed both via openssl s_client. Both certs are different and thus the private keys are different as well.

Are you sure you've really used the key for ebox.domain.org and not www.domain.org? The filename in the debug file implies that (filenames are identical to the domain name), but you never know! Please double check that.

BTW: Are you able to decrypt HTTPS traffic with the key for www.domain.org?

Regards
Kurt

answered 17 May '15, 22:34

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 May '15, 22:35

Yes, the key is definitely correct. I tried switching the keys anyway, and interestingly enough I got the same error. I haven't been able to decrypt HTTPS traffic, because I haven't yet figured out how to tell Apache not to do DH key exchange.

(18 May '15, 18:57) Nikratio

I think I'll repost this question the wireshark-users mailing list. This web interface seems rather ill-suited for going back & forth more than once :-).

(18 May '15, 19:00) Nikratio