This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to decrypt TLS data from a TLS captured file

0

HI ,

AM trying to open a file which have got tls handshake messages and data further. My Intention was to decrypt the TLS data. Our data is directly below TCP like (TCP--TLS--data).

Steps followed:

  1. Opened the file
  2. Edit-preference-protocol-ssl-127.0.0.1,4444,ssl,/home/dh/openssl/device.key
  3. Followed the TCP stream - still the data is not decrypted.

AM using version 1.0.15 with GnuTLS 1.4.1, with Gcrypt 1.4.4.

This is the command i used ,

[[email protected] ~]# tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:127.0.0.1,4444,http,/home/amanimar/openssl/device.key" -o "ssl.debug_file:/root/ssl.log" tcp port 4444 -w /root/packet.pcap.

Please Help Help

asked 23 May '16, 06:22

dhanish's gravatar image

dhanish
6335
accept rate: 0%

edited 23 May '16, 23:32

Below is the ssl.log :

cat ssl.log ssl_init keys string: 127.0.0.1,4444,http,/home/amanimar/openssl/device.key ssl_init found host entry 127.0.0.1,4444,http,/home/amanimar/openssl/device.key ssl_init addr '127.0.0.1' port '4444' filename '/home/amanimar/openssl/device.key' password(only for p12 file) '(null)' Private key imported: KeyID 83:33:D6:6E:68:A3:76:09:1E:C4:D9:DE:41:3A:AA:95:... ssl_init private key file /home/amanimar/openssl/device.key successfully loaded association_add TCP port 4444 protocol http handle 0x2b48f5246c40 association_find: TCP port 993 found 0x2b48f5a205b0 ssl_association_remove removing TCP 993 - imap handle 0x2b48f5265350 association_add TCP port 993 protocol imap handle 0x2b48f5265350 association_find: TCP port 995 found 0x2b48f5a20620 ssl_association_remove removing TCP 995 - pop handle 0x2b48f53e3160 association_add TCP port 995 protocol pop handle 0x2b48f53e3160 [[email protected] ~]#

(23 May '16, 23:31) dhanish

Your comment has been edited to use the correct format for code or text output to make it easier to read.

(24 May '16, 03:30) grahamb ♦