OSQA is unmaintained. Help us figure out where to go from here.

I am trying to decrypt ssl communication for troublshooting but am unable to decode the traffic.

Any help would be greatly appreciated

Following is the Debug logs:

Wireshark SSL debug log

Wireshark version: 2.0.5 (v2.0.5-0-ga3be9c6 from master-2.0)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2

ssl_association_remove removing TCP 443 - http handle 00000277EE1E2800
4013 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
KeyID[20]:
| 51 f1 fe 2a f4 26 7b db bc 55 30 fb c9 34 58 d8 |Q..*.&{..U0..4X.|
| 50 dd 4f 25                                     |P.O%            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file C:/cert.pfx successfully loaded.
ssl_init port '443' filename 'C:/cert.pfx' password(only for p12 file) 'Password'
association_add TCP port 443 protocol http handle 00000277EE1E2800

dissect_ssl enter frame #4 (first time)
association_find: TCP port 17008 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 80
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 75
decrypt_ssl3_record: app_data len 75, ssl state 0x00
association_find: TCP port 17008 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 71 bytes, remaining 80 
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 1380
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 49
decrypt_ssl3_record: app_data len 49, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 45 bytes, remaining 54 
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_dissect_hnd_srv_hello found CIPHER 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA -> state 0x17
  record: offset = 54, reported_length_remaining = 1326

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 1190

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 198
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 134
decrypt_ssl3_record: app_data len 134, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 139, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 145, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 150 48
decrypt_ssl3_record: app_data len 48, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 186 offset 150 length 5662814 bytes, remaining 198

dissect_ssl enter frame #13 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec No Session resumption, missing packets?
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 6, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 48
decrypt_ssl3_record: app_data len 48, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 141 offset 11 length 9969585 bytes, remaining 59

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 901
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 896, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 17008 found 0000000000000000
association_find: TCP port 443 found 00000277EFF042E0

dissect_ssl enter frame #15 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0
  record: offset = 0, reported_length_remaining = 625

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 80
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 71 bytes, remaining 80

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1380
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 45 bytes, remaining 54 
  record: offset = 54, reported_length_remaining = 1326

dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1190

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 198
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 
  record: offset = 139, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 145, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 186 offset 150 length 5662814 bytes, remaining 198

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 6, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 141 offset 11 length 9969585 bytes, remaining 59

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 901
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #15 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000277F0B252B0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 625

asked 19 Aug '16, 07:22

WireSharrkUser's gravatar image

WireSharrkUser
11126
accept rate: 0%

edited 19 Aug '16, 08:06

grahamb's gravatar image

grahamb ♦
19.4k330204

(19 Aug '16, 08:11) Christian_R

Your capture is using a cipher suite using the Diffie-Hellman key exchange:

ssl_dissect_hnd_srv_hello found CIPHER 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA -> state 0x17
                                                  ^^^

This does not work with a RSA private key file. See Decrypting TLS in Wireshark when using DHE_RSA ciphersuites for an alternative.

permanent link

answered 19 Aug '16, 08:09

Lekensteyn's gravatar image

Lekensteyn
2.1k3724
accept rate: 30%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×316
×162
×56

question asked: 19 Aug '16, 07:22

question was seen: 871 times

last updated: 19 Aug '16, 08:11

p​o​w​e​r​e​d by O​S​Q​A