OSQA is unmaintained. Help us figure out where to go from here.

I am trying to decrypt an SSL Session in Wireshark. I have loaded the p12 file(including password) into wireshark. Here is the debug output:

2686 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
Private key imported: KeyID <keyID#1>...
Bag 1/0: Encrypted
Bag 1/0 decrypted: Certificate
Certificate imported: <password> <<remoteDomain>>, KeyID <keyID#2>
ssl_init IPv4 addr '<LocalIP>' (<LocalIP>) port '59199' filename 'C:\Users\dbeutler\Desktop\test.p12' <password>(only for p12 file) '<password>'
ssl_init private key file C:\Users\dbeutler\Desktop\test.p12 successfully loaded.
association_add TCP port 59199 protocol http handle 0000000003FF9A90

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 0000000005AF1D00 size 680
  conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
  record: offset = 0, reported_length_remaining = 88
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 83, ssl state 0x00
association_find: TCP port 59199 found 0000000004A74800
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88 
packet_from_server: is from server - FALSE
ssl_find_private_key server <RemoteIP>:443
ssl_find_private_key can't find private key for this server! Try it again with universal port 0
ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0
ssl_find_private_key can't find any private key!
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
  conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
  record: offset = 0, reported_length_remaining = 150
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
  record: offset = 79, reported_length_remaining = 71
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 85, reported_length_remaining = 65
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 60, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 194 offset 90 length 16556088 bytes, remaining 150

dissect_ssl enter frame #7 (first time)
  conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
  record: offset = 0, reported_length_remaining = 388
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 6, reported_length_remaining = 382
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 60, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 252 offset 11 length 10477783 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 317
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 312, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59199 found 0000000004A74800

dissect_ssl enter frame #8 (first time)
  conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
  record: offset = 0, reported_length_remaining = 50
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 45, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004990C80

dissect_ssl enter frame #9 (first time)
  conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
  record: offset = 0, reported_length_remaining = 735
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 730, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59199 found 0000000004A74800

dissect_ssl enter frame #4 (already visited)
  conversation = 0000000005AF1880, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 88
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88

dissect_ssl enter frame #6 (already visited)
  conversation = 0000000005AF1880, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 150
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 
  record: offset = 79, reported_length_remaining = 71
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
  record: offset = 85, reported_length_remaining = 65
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 194 offset 90 length 16556088 bytes, remaining 150

dissect_ssl enter frame #7 (already visited)
  conversation = 0000000005AF1880, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 388
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
  record: offset = 6, reported_length_remaining = 382
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 252 offset 11 length 10477783 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 317
dissect_ssl3_record: content_type 23
association_find: TCP port 59199 found 0000000004A74800

dissect_ssl enter frame #8 (already visited)
  conversation = 0000000005AF1880, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 50
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 0000000004990C80

dissect_ssl enter frame #9 (already visited)
  conversation = 0000000005AF1880, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 735
dissect_ssl3_record: content_type 23
association_find: TCP port 59199 found 0000000004A74800

Any help would be appreciated... Thanks, Danny

asked 16 Sep '11, 10:17

dbeutler's gravatar image

dbeutler
1223
accept rate: 0%

edited 16 Sep '11, 11:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


It would help if you also posted the way you configured the key list in the ssl protocol preferences, as it looks like you entered it incorrect.

This is how it should be:

<ip-adress-of-server>,<port-on-server>,http,<path-to-server-private-key>,<password-if-pkcs12-key>

So when connecting to a https-webserver on 1.1.1.1:443 from a client 10.0.0.1:12345, you would enter:

1.1.1.1,443,http,/tmp/keyfile.pem  or
1.1.1.1,443,http,/tmp/keyfile.pkcs12,mysecretpassword

Hope this helps!

permanent link

answered 16 Sep '11, 12:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×316
×162

question asked: 16 Sep '11, 10:17

question was seen: 6,845 times

last updated: 12 Oct '11, 07:14

p​o​w​e​r​e​d by O​S​Q​A