Wireshark · Wireshark-users: Re: [Wireshark-users] need help to decrypt SSL packets

[Arnold Wang <arnold.wang@xxxxxxxxxx>]

I used ssl decryption before and this is the first time run into this particular problem, couldn’t read the key file. This is the first time I tried to read a 4096-bit key. However since openssl seems have no problem reading it, I would assume wireshark should be able to as well.

The permission seems ok.

[awang@arnoldw tmp]$ ls -l /tmp/esd.key

-rw-r--r--. 1 awang users 3264 2009-11-05 09:28 /tmp/esd.key

[awang@arnoldw tmp]$ ls -l `which wireshark`

lrwxrwxrwx. 1 root root 13 2009-11-04 14:23 /usr/bin/wireshark -> consolehelper

[awang@arnoldw tmp]$ ls -l `which openssl`

-rwxr-xr-x. 1 root root 444640 2009-05-21 09:47 /usr/bin/openssl

BTW, the error happens before I even open the trace file so it has nothing to do with it. Unfortunately, I can’t upload the whole private key since it’s for one of our public production site.

Thanks for the help.

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Wednesday, November 04, 2009 2:56 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] need help to decrypt SSL packets

 

Seems you are doing the right thing.

 

Are you able to decrypt ssl traffic in other tracefiles  with other keys? Or was this your first try?

 

Could you share the output of:

 

ls -l /tmp/esd.key

ls -l `which wireshark`

ls -l `which openssl`

 

.. to see whether it could be a permission problem?

 

And are you able to share the tracefile and key or are they from a production environment?

 

Cheers,

    Sake

----- Original Message -----

From: Arnold Wang

To: 'wireshark-users@xxxxxxxxxxxxx'

Sent: Tuesday, November 03, 2009 9:07 PM

Subject: [Wireshark-users] need help to decrypt SSL packets

 

I’m running Wireshark 1.1.3 comes with Fedora 11. When I tried to decode the captured FTPS traffics, I’m running into trouble to load the private key into Wireshark. I got the following error message when I started Wireshark:

ssl_init keys string:

10.x.100.25,990,ftps,/tmp/esd.key

ssl_init found host entry 10.x.100.25,990,ftps,/tmp/esd.key

ssl_init addr '10.x.100.25' port '990' filename '/tmp/esd.key' password(only fo

r p12 file) '(null)'

ssl_load_key: can't import pem data

As far as I can tell, the private key looks OK.

[awang@mars tmp]$ more esd.key

-----BEGIN PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDuYd7gPiqjx/+pFfQ0QhHhUBR5

t8WDrji+N7QEmmULguE+MJiku4de35EjrlR5PkW6voZ+/xpKjNQvqpi6YI/IzBEgS4b61zreBM55

….

paDoKh7nJpUz+PlQ9YuOUtSXuadQMqsqipYY9CygeQD8xZMopfcrb+obifGZrgfP3KYpTT5mUxld

z/qpPf+Cs+pvgBzzYu4AIaCMG+8lqeS2cD2z8jOavSonRcOfMw==

-----END PRIVATE KEY-----

[awang@mars tmp]$ openssl rsa -inform pem -in esd.key -noout -text

Private-Key: (4096 bit)

modulus:

    00:ee:61:de:e0:3e:2a:a3:c7:ff:a9:15:f4:34:42:

    11:e1:50:14:79:b7:c5:83:ae:38:be:37:b4:04:9a:

….

What did I miss?

Thanks.

---

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe