OSQA is unmaintained. Help us figure out where to go from here.

I need to capture and decrypt https traffic from my exchange server.

I've exported the exchange server's SSL certificate, and loaded it into wireshark under the ssl protocol, but my packets still are not being decrypted.

5.54.209.223,443,http,C:certname.pfx, (no password)

Picking an example packet, I've grabbed a encrypted packet from my server responding to the client (#139) packet 139 in my capture remains encrypted I can go into "Decode As" and reselect Decode and SSL, but it still does not decode the SSL encrypted data. Looking through the log file for #139 I see:

dissect_ssl enter frame #139 (first time)
  conversation = 00000000058B55C0, ssl_session = 00000000058B6450
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 1043, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (already visited)
  conversation = 00000000058B55C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (already visited)
  conversation = 00000000058B55C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (first time)
  conversation = 00000000058B55C0, ssl_session = 00000000058B6450
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 1043, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (already visited)
  conversation = 00000000058B55C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (already visited)
  conversation = 00000000058B55C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (first time)
  conversation = 00000000058B55C0, ssl_session = 00000000058B6450
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 1043, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (already visited)
  conversation = 00000000058B55C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 000000000475A330

dissect_ssl enter frame #139 (already visited)
  conversation = 00000000058B55C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 000000000475A330

As you can see, wireshark finds an association, but fails to find a decoder. I know it's the correct SSL certificate.

Any Ideas?

asked 18 Oct '11, 11:29

cabal's gravatar image

cabal
1111
accept rate: 0%

edited 18 Oct '11, 15:08

SYN-bit's gravatar image

SYN-bit ♦♦
17.0k957244


You'll need to look at the whole establishment. Probably a Diffie-Hellman cipher. Check for dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17 in your log. DH cipher can't be decoded.

link

answered 18 Oct '11, 13:54

Jaap's gravatar image

Jaap ♦
10.9k1698
accept rate: 14%

I'm using cipher 0x0005 I'm not sure which cipher this represents, but I do see this in the log:

dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
  record: offset = 86, reported_length_remaining = 71
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 92, reported_length_remaining = 65
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 60, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 30 offset 97 length 3627431 bytes, remaining 157

Perhaps I can reconfigure the client browser to list only ciphers wireshark can decrypt? Does anyone have a list of what ciphers wireshark can decrypt?

(18 Oct '11, 14:33) cabal

OK, I changed the allowable SSL ciphers on the server too:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256

None of these should be Diffie-Helman

I still can't decode packets:

dissect_ssl enter frame #577 (first time)
  conversation = 0000000005B67290, ssl_session = 0000000005B67FB0
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 1043, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004A0A300

dissect_ssl enter frame #577 (already visited)
  conversation = 0000000005B67290, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 0000000004A0A300

dissect_ssl enter frame #577 (first time)
  conversation = 0000000005B67290, ssl_session = 0000000005B67FB0
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 1043, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004A0A300

dissect_ssl enter frame #577 (already visited)
  conversation = 0000000005B67290, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1048
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 0000000004A0A300

Any Ideas?

(18 Oct '11, 15:01) cabal

(converted your answers to comments as they seem to address Jaap's answer, please see the FAQ for details)

(18 Oct '11, 15:15) SYN-bit ♦♦

There are a few things you need to take into account when decrypting SSL traffic.

First of all the key must be in PEM format or PKCS12 (with or without password). Did your ssl-debug file state that the key was successfully loaded?

Next, the full SSL handshake needs to be present in the trace so that the proper keys can be extracted. A reused SSL session (with a short handshake) does not provide the keying material and can therefor only be decrypted when the original full handshake is also present in the tracefile.

Then, as Jaap mentioned, when a DH cipher is used, the keying material is exchanged using the Diffie Hellman protocol which uses dynamically created keypairs instead of the server's public and private key. Therefor Wireshark is not able to decrypt these sessions.

Now to your issue. Please check whether the certificate is loaded successfully. Then check whether the full SSL handshake is present in your tracefile. It thsi does not solve your issue, it would help to see the full ssl-debug log.

link

answered 18 Oct '11, 15:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.0k957244
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×300
×157
×12

Asked: 18 Oct '11, 11:29

Seen: 9,048 times

Last updated: 18 Oct '11, 15:24

p​o​w​e​r​e​d by O​S​Q​A