Hi, I'm trying to investigate an FTP session using explicit TLS/SSL
(connects via port 21 using AUTH TLS command vs using a dedicated
port).
I'm using the following to direct wireshark to decrypt the SSL:
<ftp server ip>,21,ftp,/path/to/private/key
This definitely seems to change the output some, but I'm not able to
see the FTP commands being passed back and forth:
association_add TCP port 21 protocol ftp handle (nil)
association_add could not find handle for protocol 'ftp', try to find 'data' dissector
This would seem to be a key error? Also later on, I see stuff like the
following:
dissect_ssl enter frame #13 (first time)
conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x13
association_find: TCP port 1213 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x13
dissect_ssl3_handshake not enough data to generate key (required 0x17)
dissect_ssl enter frame #14 (first time)
conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 1213 found (nil)
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
dissect_ssl enter frame #15 (first time)
conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 272 ssl, state 0x13
association_find: TCP port 1213 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 129 offset 5 length 10001125 bytes, remaining 277
dissect_ssl enter frame #17 (first time)
conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 21 found 0xba587cf8
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl, state 0x13
association_find: TCP port 21 found 0xba587cf8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 104 offset 11 length 7276346 bytes, remaining 59
The unable to generate key errors I'm used to seeing when I'm using a
cipher that does DH key exchange -- but in this case I am sure I'm
using RSA key exchange (AES128-SHA cipher).
Any ideas why this isn't working? Is it the starttls nature of the
explicit TLS? If I use start_tls instead of the port number it still
doesn't help (I guess this isn't exactly STARTTLS either).
Thanks,
Ray
