This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

No TLS protocol packets seen for SQL Svr SSL Encryption. Microsoft Network Monitor shows them.

0

Hello -

Problem Definition

I've configured SQL Server 2005 Express edition to use SSL encryption for database connections. I use SQL Mgmt Studio to connect to my database with "encrypt" check box on. I've even enabled the FIPS 140-2 complaince in my local policy. I want to check if the DB connection is truely using TLS/SSL when I connect from mgmt studio to the SQL Server db. My connection is successful, and when I use "Microsoft network monitor 3.4" utility to check the traffic, I can see the TLS protocol packets.

But when I use Wireshark, I only see TCP protocol packets. No TLS.
Why???

My Environment

Windows 7 professional laptop, Sql Svr 2005 express svc pk 3

Wireshark 1.4.1 (with GnuTLS 2.8.5 - checked in about)

A self generated certificate using makecert

What I tried in Wireshark

Since TLS protocol packets were not showing up by default, I tried to follow some information on http://wiki.wireshark.org/SSL? to use SSL dissector.

The certificate I created and deployed for SQL Server was using the following command

makecert -r -pe -n "CN=mycompanyname" -b 01/01/2000 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:mycert.cer

I imported the generated certificate using MMC. Then I exported this imported certificate along with the private key, in PFX format (mycert.pfx). The export happened for PKCS12

Then I used the following command to extract all the information in PEM file from the PFX file.

openssl pkcs12 -in exportedsproutscertWithPrivateKeyUsesPKCS12.pfx -out key.pem

Then I copied the private key from the generate PEM file into a separate file myprivatekey.key

Then I went in preferences-protocols-ssl in wireshark and configured the RSA Keys list box to say 127.0.0.1,0,tcp,c:pathtomyprivatekeymyprivatekey.key,privatekeypassword All other checkboxes are selected and I specified a log file for SSL Debug file.

When I apply and run wireshark to monitor the traffic, I get the following error in the debug file.

"gnutls_pkcs12_import(ssl_p12, &data, GNUTLS_X509_FMT_DER, 0) - ASN1 parser: Error in TAG."

Why??

-Is there something wrong in my syntax for RSA keys list?

-If my private key is not valid or whatever, why wouldnt i see any errors when i generated the certificate using makecert or when i imported/exported it or when i used openssl to convert from PFX to PEM. I went from .cer to .pfx to .pem and saw no errors anywhere.

asked 09 Nov '10, 11:35

lazybee26's gravatar image

lazybee26
1111
accept rate: 0%


One Answer:

0

Just a quick thought on "not seeing TLS" traffic. Is the traffic on port 443 or another port? If another port, add the port number to preferences > HTTP in the SSL/TLS ports area.

The key syntax should look something like 127.0.0.1,443,http,c:keylistmykey.key - not the port is 443 and the protocol is http after it. You're not decrypting TCP - you're decrypting HTTP.

answered 11 Nov '10, 17:17

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%