Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Unable to decrypt SSL data provided with Wiki sample capture

From: "Maurizio Giudici" <mrgiudici@xxxxxx>
Date: Wed, 22 Apr 2009 15:48:32 +0200
Hi,

I just downloaded and installed Wireshark 1.0.7 for Windows, and, only to
understand better how things work, I tried to load the sample capture of an
SSL connection provided in the Wireshark Wiki
(http://wiki.wireshark.org/SSL).

In the SSL preferences I specified the RSA keys list in the following way:

127.0.0.1,443,http,C:\Programmi\Wireshark\private\snakeoil2.key

and I specified a SSL debug file too.

Unfortunately, when I load the capture file "rsasnakeoil2.cap" into
Wireshark and view packets that contain "Application Data", the data are
still encrypted.

This is the first part of the debug file:

ssl_init keys string:
127.0.0.1,443,http,C:\Programmi\Wireshark\private\snakeoil2.key
ssl_init found host entry
127.0.0.1,443,http,C:\Programmi\Wireshark\private\snakeoil2.key
ssl_init addr '127.0.0.1' port '443' filename
'C:\Programmi\Wireshark\private\snakeoil2.key' password(only for p12 file)
'(null)'
association_find: TCP port 993 found 03A89320
ssl_association_remove removing TCP 993 - imap handle 028F3588
association_add TCP port 993 protocol imap handle 028F3588
association_find: TCP port 995 found 03A89360
ssl_association_remove removing TCP 995 - pop handle 037D1920
association_add TCP port 995 protocol pop handle 037D1920

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 04581A48 size 564
association_find: TCP port 38713 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 127.0.0.1:443
dissect_ssl can't find private key for this server! Try it again with
universal port 0
dissect_ssl can't find private key for this server (universal port)! Try it
again with universal address 0.0.0.0
dissect_ssl can't find any private key!
  conversation = 04581870, ssl_session = 04581A48
client random len: 16 padded to 32

dissect_ssl enter frame #6 (first time)
  conversation = 04581870, ssl_session = 04581A48
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x11
association_find: TCP port 443 found 03A50BD8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0035 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 836 ssl, state 0x17
association_find: TCP port 443 found 03A50BD8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 832 bytes,
remaining 920 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 443 found 03A50BD8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 925 length 0 bytes,
remaining 929 

I think that messages like "dissect_ssl can't find any private key" and "no
decoder available" show that something went wrong, but I have no clue on how
to fix this.


Thanks in advance.
Maurizio