On Fri, Feb 29, 2008 at 10:17:44AM -0500, Robert D. Scott wrote:
> I am having trouble getting decrypted output.
>
> Debug Output:
> ssl_init keys string:
> 128.227.21.54,443,http,L:\2007\satst\satst.erp.ufl.edu.cer
> ssl_init found host entry
> 128.227.21.54,443,http,L:\2007\satst\satst.erp.ufl.edu.cer
> ssl_init addr 128.227.21.54 port 443 filename
> L:\2007\satst\satst.erp.ufl.edu.cer
> ssl_load_key: can't import pem data
>
>
> I have all the original cert info for the server, the .csr, the .crt, and
> the .key
It's the .key file that you should use. As the certificate itself will
be part of the SSL handshake, needs the private key that is linked to
the public key which is found in the certificate.
> Every combination I try generates the can't import pem data. I know this is
> the right cert, because I built the pkcs12 file from them to load into our
> Cisco SSL offload module.
What does your .key file look like? It should look something like:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDDheBxxgRp9Zg/D6pGzTEx0sn4C6vkLj/ftPp62XVD8Af7VbE7
[...]
yjoTQnfWPSiXBfumTIGr+F4kYIP9uMTPIQpwcOlZGa2j
-----END RSA PRIVATE KEY-----
If it looks like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CB7BE7B5A318ACE6
ScuaEtGA1xy7iVvvntc4hZ9Kl0VOKmA9sOcfP1CnrUVpAuLoHPEXTsc10smlXwsl
[...]
yy7ANfGCZTWaWP89uOIwlXK0n8hHZjTjw5axBuWXvgWHNbvein7tsg==
-----END RSA PRIVATE KEY-----
then your keyfile is protected by a passphrase (which is a good
thing btw). Unfortunately Wireshark can't use passphrase protected keys
so you will need to use openssl (or something else) to create a
keyfile that is not protected by a passphrase.
(openssl rsa -in <old-keyfile> -out <new-keyfile> will ask you for the
passphrase and write the key to <new-keyfile> unencrypted)
If your keyfile looks binary, then it is probably in DER format, meaning
you will have to convert it to PEM. Again, openssl can help you out:
openssl rsa -inform DER -in old-keyfile> -out <new-keyfile>
I hope this helps,
Cheers,
Sake
