This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem in decrypting SSL - Wireshark 1.6.2

0

I am using the current newest version of Wireshark, 1.6.2. I wanted to decrypt an SSL connection. I entered the IP address, port, protocol and .key file in Preferences -> SSL correctly, but the packets are still not decrypted. I am using an Apache webserver, so the keys are all in .pem format. I also tried converting the key and certificate to .pfx format and using it to decrypt, but to no avail. Here is the download link for the pcap capture file, server key, certificate and CSR (It's self-signed and it's only for private academic use so I'm fine sharing it): http://www.mediafire.com/?980y2vwedkf9r6r And I also started capturing packets in Wireshark even before I opened my web browser, so all the handshakes are captured (you can look at my pcap file)

Here is the debug file:

ssl_association_remove removing TCP 443 - http handle 03454E58
ssl_parse: Can't load UAT string "192.168.0.1","443","http","C:\server.key","": ssl_keys:1: File 'C:server.key' does not exist or access is denied.
Private key imported: KeyID ef:d4:b1:da:f3:75:8d:a1:0f:37:87:7b:49:71:f8:2d:...
ssl_init IPv4 addr '192.168.0.1' (192.168.0.1) port '443' filename 'C:\server.key' password(only for p12 file) ''
ssl_init private key file C:\server.key successfully loaded.
association_add TCP port 443 protocol http handle 03454E58
1717 bytes read
PKCS#12 imported
Bag 0/0: Encrypted
Bag 0/0 decrypted: Certificate
Certificate imported: Aldred Benedict <[email protected]>, KeyID efd4b1daf3758da10f37877b4971f82d1a99bd1f
Bag 1/0: PKCS#8 Encrypted key
Private key imported: KeyID ef:d4:b1:da:f3:75:8d:a1:0f:37:87:7b:49:71:f8:2d:...
ssl_init IPv4 addr '192.168.0.1' (192.168.0.1) port '443' filename 'C:\serverCert.pfx' password(only for p12 file) 'caveman'
ssl_init private key file C:\serverCert.pfx successfully loaded.
association_add TCP port 443 protocol http handle 03454E58

dissect_ssl enter frame #21 (first time) ssl_session_init: initializing ptr 05072A5C size 588 conversation = 050726F4, ssl_session = 05072A5C record: offset = 0, reported_length_remaining = 163 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 158, ssl state 0x00 association_find: TCP port 1076 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 154 bytes, remaining 163 packet_from_server: is from server - FALSE ssl_find_private_key server 192.168.0.1:443 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #22 (first time) conversation = 050726F4, ssl_session = 05072A5C record: offset = 0, reported_length_remaining = 1181 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 53, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello can't find cipher suite 0x88 record: offset = 58, reported_length_remaining = 1123 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 707, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 63 length 703 bytes, remaining 770 record: offset = 770, reported_length_remaining = 411 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 397, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 775 length 393 bytes, remaining 1172 record: offset = 1172, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1177 length 0 bytes, remaining 1181

dissect_ssl enter frame #32 (first time) ssl_session_init: initializing ptr 05073484 size 588 conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 163 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 158, ssl state 0x00 association_find: TCP port 1077 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 154 bytes, remaining 163 packet_from_server: is from server - FALSE ssl_find_private_key server 192.168.0.1:443 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #33 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 1181 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 53, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello can't find cipher suite 0x88 record: offset = 58, reported_length_remaining = 1123 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 707, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 63 length 703 bytes, remaining 770 record: offset = 770, reported_length_remaining = 411 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 397, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 775 length 393 bytes, remaining 1172 record: offset = 1172, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1177 length 0 bytes, remaining 1181

dissect_ssl enter frame #34 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 704 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 134, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16) dissect_ssl3_handshake can't decrypt pre master secret record: offset = 139, reported_length_remaining = 565 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 145, reported_length_remaining = 559 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 48, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 148 offset 150 length 8824632 bytes, remaining 198 record: offset = 198, reported_length_remaining = 506 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1077 found 00000000 association_find: TCP port 443 found 0604A548 record: offset = 235, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 464, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1077 found 00000000 association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #35 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 266 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 202, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 198 bytes, remaining 207 record: offset = 207, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 213, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 48, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 251 offset 218 length 9643165 bytes, remaining 266

dissect_ssl enter frame #36 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 922 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 304, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0604A548 record: offset = 309, reported_length_remaining = 613 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 608, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #40 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 634 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1077 found 00000000 association_find: TCP port 443 found 0604A548 record: offset = 37, reported_length_remaining = 597 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 592, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1077 found 00000000 association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #41 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 122 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 32, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1077 found 00000000 association_find: TCP port 443 found 0604A548 record: offset = 37, reported_length_remaining = 85 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 80, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1077 found 00000000 association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #43 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 362 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 304, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0604A548 record: offset = 309, reported_length_remaining = 53 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 48, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #47 (first time) conversation = 0507311C, ssl_session = 05073484 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 32, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

asked 23 Oct ‘11, 21:35

Caveman's gravatar image

Caveman
26223
accept rate: 50%

edited 23 Oct ‘11, 21:41


One Answer:

0

I figured what's wrong. I used a Diffie-Hellman cipher. That's why the traffic cannot be decrypted.

answered 30 Oct '11, 05:18

Caveman's gravatar image

Caveman
26223
accept rate: 50%