Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] SSL decryption

From: "SARAVANA PERUMAL RAMAKRISHNAN" <Ramakrishnan.Saravana_Perumal@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Nov 2007 11:50:53 +0100
Hello,
    I'm trying to collect soap traces using wireshark. The application is running in a solaris machine and i access the GUI for this application through a web browser in my windows PC. As soon as i enter the application URL in the browser, before giving the authentication (user id/pw), i get the following message in the debug file.
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
 
can you help me whats wrong? I"m using wireshark version .99.6a.
content of full debug file is given below:
 
ssl_init keys string:
172.21.131.253,2006,http,D:\eventhelix\server.key
ssl_init found host entry 172.21.131.253,2006,http,D:\eventhelix\server.key
ssl_init addr 172.21.131.253 port 2006 filename D:\eventhelix\server.key
ssl_init private key file D:\eventhelix\server.key successfully loaded
association_add TCP port 2006 protocol http handle 026AB698
association_find: TCP port 443 found 02A0F640
ssl_association_remove removing TCP 443 - http handle 026AB698
association_add TCP port 443 protocol http handle 026AB698
association_find: TCP port 636 found 02A0F728
ssl_association_remove removing TCP 636 - ldap handle 0274B788
association_add TCP port 636 protocol ldap handle 0274B788
association_find: TCP port 993 found 02A0FF08
ssl_association_remove removing TCP 993 - imap handle 024451E0
association_add TCP port 993 protocol imap handle 024451E0
association_find: TCP port 995 found 02A10040
ssl_association_remove removing TCP 995 - pop handle 027C9CE0
association_add TCP port 995 protocol pop handle 027C9CE0
 
dissect_ssl enter frame #458 (first time)
ssl_session_init: initializing ptr 041B3550 size 564
association_find: TCP port 3179 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 172.21.131.253:2006
client random len: 16 padded to 32
 
dissect_ssl enter frame #458 (already visited)
 
dissect_ssl enter frame #460 (first time)
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x11
association_find: TCP port 2006 found 02A98640
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 747 ssl, state 0x17
association_find: TCP port 2006 found 02A98640
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 743 bytes, remaining 831
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 2006 found 02A98640
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 836 length 0 bytes, remaining 840
 
dissect_ssl enter frame #461 (first time)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 132 ssl, state 0x17
association_find: TCP port 3179 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128 bytes, remaining 137
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17
pre master encrypted[128]:
a6 ab c3 1e 4d ef db 40 8f b6 0a a9 56 ee 29 4e
d4 23 97 b9 2c 1a ba a9 06 07 73 75 fa a5 7a 51
87 ca f9 d5 2c 81 24 99 93 2d c4 b6 76 be 92 f9
16 e3 81 ee ba 35 15 e5 fc 1a 6e 6c e7 ea 40 ed
4b fd 87 63 d6 cd 2d 8d 65 b5 eb 04 fc c4 4d 14
6f 64 57 b3 8b 9b e4 21 ed 8f 14 1d e6 de 8d a5
19 80 5c c3 a8 82 7b a0 48 33 48 da e7 8b c5 02
10 6b 1c 6e 16 49 4e a0 43 78 65 6d 64 a8 e7 ec
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 0 bytes, decr_len 128
decypted_unstrip_pre_master[128]:
ea 92 97 25 b9 d9 1f 46 81 bc 2a 3b 2f a6 2e 54
cd ed 90 40 07 0a 2f 3b 57 bf 3a 17 53 33 cb 44
76 13 25 8c 4e 0b 51 36 bc 34 b1 f4 1b c5 f3 79
2d 12 7f 5e 4e 03 0b 4b 5b 20 71 b4 b2 a4 45 a1
b5 2f 93 9c 56 9c bc 31 c5 d8 cb 28 74 fc d1 20
d9 d3 fc 22 c2 8c f0 35 c7 74 3a 30 6a 5e 52 72
b3 14 f8 4a 02 ce d8 d4 a0 f0 6d 8a f3 9c 7e 46
f0 f1 cd a4 b0 6b a4 60 6a 37 47 f5 89 d3 5a b8
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret

dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 3179 found 00000000
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
 
 
Thank you for your support,
kind regards,
saravana perumal.