Wireshark · Wireshark-users: Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?

[Jaap Keuter <jaap.keuter@xxxxxxxxx>]

Hi,

That one was only recently added to the development version of wireshark.

   {51,KEX_DH, SIG_RSA,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},

You can find an overview of what Wireshark knows in 
http://anonsvn.wireshark.org/wireshark/trunk-1.0/epan/dissectors/packet-ssl-utils.c

Thanx,
Jaap


ixxus nexxus wrote:
> I am trying to decode some ssl traffic. I have set the private key in 
> wireshark but I am still not able to decrypt and view the data. I see 
> this error in the log:
>
> dissect_ssl3_hnd_srv_hello can't find cipher suite 0x33
>
> If this one is not supported, where can I get a list of supported 
> suites? I am using 1.0.2 on windows.
>
> Thank you for your help.
>
>
>
> Here are the details of the log:
>
> ssl_init keys string:
> xxx.xxx.xxx.xxx,http,P:\temp\key.pem
> ssl_init found host entry xxx.xxx.xxx.xxx,443,http,P:\temp\key.pem
> ssl_init addr 'xxx.xxx.xxx.xxx' port '443' filename 'P:\temp\key.pem' 
> password(only for p12 file) '(null)'
> ssl_init private key file P:\temp\key.pem successfully loaded
> association_add TCP port 443 protocol http handle 02F5E458
> association_find: TCP port 993 found 03D6A070
> ssl_association_remove removing TCP 993 - imap handle 02E58B00
> association_add TCP port 993 protocol imap handle 02E58B00
> association_find: TCP port 995 found 03D6A0B0
> ssl_association_remove removing TCP 995 - pop handle 03AB16F8
> association_add TCP port 995 protocol pop handle 03AB16F8
>
> dissect_ssl enter frame #6 (first time)
> ssl_session_init: initializing ptr 050B1E70 size 564
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> dissect_ssl server xxx.xxx.xxx.xxx:443
>   conversation = 050B1C98, ssl_session = 050B1E70
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 138 ssl, state 0x00
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 1 offset 5 length 134 bytes, 
> remaining 143
> dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
>
> dissect_ssl enter frame #8 (first time)
>   conversation = 050B1C98, ssl_session = 050B1E70
> dissect_ssl3_record found version 0x0301 -> state 0x11
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 1113 ssl, state 0x11
> association_find: TCP port 443 found 03F5B3D0
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, 
> remaining 1118
> dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
> dissect_ssl3_hnd_srv_hello can't find cipher suite 0x33
> dissect_ssl3_handshake iteration 0 type 11 offset 79 length 603 bytes, 
> remaining 1118
> dissect_ssl3_handshake iteration 0 type 12 offset 686 length 424 bytes, 
> remaining 1118
> dissect_ssl3_handshake iteration 0 type 14 offset 1114 length 0 bytes, 
> remaining 1118
>
> dissect_ssl enter frame #10 (first time)
>   conversation = 050B1C98, ssl_session = 050B1E70
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 102 ssl, state 0x13
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, 
> remaining 107
> dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x13
> dissect_ssl3_handshake not enough data to generate key (required 0x17)
> dissect_ssl3_record: content_type 20
> dissect_ssl3_change_cipher_spec
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> ssl_change_cipher CLIENT
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 48 ssl, state 0x13
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 94 offset 118 length 7042118 
> bytes, remaining 166
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users