Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] 3rd time Posting -- Please help Regarding SSL decryption w

From: Vijay Sitaram <vjatfugen@xxxxxxxxx>
Date: Wed, 25 Oct 2006 11:15:44 -0700 (PDT)
Hi,
 
    Thank you very much for pointing me in the right direction.  I have changed the command line syntax accordingly but still encountering some errors.  The changed syntax is as follows:
 tshark -V -r rsasnakeoil2.cap -o "ssl.keys_list: 127.0.0.1,443,http,/path/to/snakeoil2/rsasnakeoil2.key" -o "ssl.debug_file: /path/to/snakeoil2/ssldebug.txt" > output.txt
 
    Here is the section from the log file that seems to encounter an error:
dissect_ssl3_hnd_hello_common found random state 13
dissect_ssl3_hnd_srv_hello found cipher 35, state 17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 836 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 832 bytes, remaining 920
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 14 offset 925 length 0 bytes, remaining 929
dissect_ssl enter frame #8
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 132 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128 bytes, remaining 137
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17
pre master encrypted[128]:
65 51 2d a6 d4 a7 38 df ac 79 1f 0b d9 b2 61 7d
73 88 32 d9 f2 62 3a 8b 11 04 75 ca 42 ff 4e d9
cc b9 fa 86 f3 16 2f 09 73 51 66 aa 29 cd 80 61
0f e8 13 ce 5b 8e 0a 23 f8 91 5e 5f 54 70 80 8e
7b 28 ef b6 69 b2 59 85 74 98 e2 7e d8 cc 76 80
e1 b6 45 4d c7 cd 84 ce b4 52 79 74 cd e6 d7 d1
9c ad ef 63 6c 0f f7 05 e4 4d 1a d3 cb 9c d2 51
b5 61 cb ff 7c ee c7 bc 5e 15 a3 f2 52 0f bb 32
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 0 bytes, decr_len 128
decypted_unstrip_pre_master[128]:
88 ba 5b 29 4f 8f 9e 4e 8a 26 32 2f da b9 d9 b5
a5 df ac 3a a5 27 02 e9 4b 57 a8 a2 03 8d 64 81
b7 7b d9 34 bf c7 c8 98 15 44 ed 1c bb 30 37 65
35 71 52 68 58 d3 24 6a a1 13 b3 de cf 24 d4 c0
9c bd d2 43 c4 dc 12 37 17 65 f2 5c 15 82 d2 f0
b2 84 2b ce 63 59 66 ca cf d0 0d 1b 81 ae dc 47
15 e3 4b 3b 55 d8 03 42 0c 1d ef cf f9 86 d9 56
7a 3a b0 38 c4 7d 32 ba 64 26 ee b7 48 98 f3 90
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 64 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 169 offset 148 length 14210869 bytes, remaining 212
     Kind regards,
 
Vijay


Gerald Combs <gerald@xxxxxxxxxxxxx> wrote:
Vijay Sitaram wrote:
> Hi,
>
> I am not sure if this has been attempted before, but would really
> appreciate some help / guidance. We are trying to decrypt SSL
> application data by using 'tshark' on RedHat Linux using the following
> command:
> tshark -V -r rsasnakeoil2.cap -R
> "127.0.0.1,443,/path/to/snakeoil2/rsasnakeoil2.key" > output.txt
>
> The Application Data always shows up encrypted. Are there any logs
> that I can check to see the underlying problem? How can I make progress
> with my goal?

The "-R" flag is used to specify a read (aka display) filter, e.g.

ip.addr eq 172.17.2.172 and bgp

or

tcp matches "ghwbush.*password(?i)"

You appear to be trying to feed it a key list for the SSL dissector.
You might try using the "-o" flag instead, along with the appropriate
SSL preference name:

tshark -V -r rsasnakeoil2.cap \
-o "ssl.keys_list: 127.0.0.1,443,/path/to/rsasnakeoil2.key"

For a complete list of preference items, check the "preferences" file in
Wireshark's configuration directory or run "tshark -G defaultprefs".
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail.