Wireshark · Wireshark-users: Re: [Wireshark-users] Decoding SSL (first time)

["Sake Blok" <sake@xxxxxxxxxx>]

Are you sure the private key you are using in wireshark is indeed the 
private key that belongs to the certificate that the server is using?

Cheers,
    Sake


----- Original Message ----- 
From: "Stuart Marsden" <stuart@xxxxxxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, January 13, 2010 3:24 PM
Subject: [Wireshark-users] Decoding SSL (first time)


> Hi,
>
> trying to decode SSL for the first time - This is for provisioning  a
> VoIP  Phone talking https to  Windows IIS
>
> Private key looks ok,  but "decrypt_ssl3_record: no decoder available"
> looks like the first error
>
> Based on a previous post, I made sure wireshark was running before phone
> rebooted.
>
> any help greatly appreciated
>
> Stuart
>
> ssl_init keys string:
> 82.133.39.247,443,http,C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem
> ssl_init found host entry
> 82.133.39.247,443,http,C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem
> ssl_init addr '82.133.39.247' port '443' filename
> 'C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem'
> password(only for p12 file) '(null)'
> Private key imported: KeyID
> 26:C8:D0:04:16:66:92:7C:E5:48:3F:89:DE:98:E9:1F:...
> ssl_init private key file
> C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem
> successfully loaded
> association_add TCP port 443 protocol http handle 0410AD18
>
> dissect_ssl enter frame #318 (first time)
> ssl_session_init: initializing ptr 054E7040 size 564
> association_find: TCP port 53499 found 00000000
> packet_from_server: is from server - FALSE
> dissect_ssl server 82.133.39.247:443
>  conversation = 054E6D68, ssl_session = 054E7040
>  record: offset = 0, reported_length_remaining = 90
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 85 ssl, state 0x00
> association_find: TCP port 53499 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 1 offset 5 length 81 bytes,
> remaining 90
> dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
>
> dissect_ssl enter frame #318 (already visited)
>  conversation = 054E6D68, ssl_session = 00000000
>  record: offset = 0, reported_length_remaining = 90
> dissect_ssl3_record: content_type 22
> dissect_ssl3_handshake iteration 1 type 1 offset 5 length 81 bytes,
> remaining 90
>
> dissect_ssl enter frame #319 (first time)
>  conversation = 054E6D68, ssl_session = 054E7040
>  record: offset = 0, reported_length_remaining = 894
> dissect_ssl3_record found version 0x0301 -> state 0x11
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 889 ssl, state 0x11
> association_find: TCP port 443 found 0479EEA8
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
> remaining 894
> dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
> dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
> dissect_ssl3_hnd_srv_hello trying to generate keys
> ssl_generate_keyring_material not enough data to generate key (0x17
> required 0x37 or 0x57)
> dissect_ssl3_hnd_srv_hello can't generate keyring material
> dissect_ssl3_handshake iteration 0 type 11 offset 79 length 807 bytes,
> remaining 894
> dissect_ssl3_handshake iteration 0 type 14 offset 890 length 0 bytes,
> remaining 894
>
> dissect_ssl enter frame #321 (first time)
>  conversation = 054E6D68, ssl_session = 054E7040
>  record: offset = 0, reported_length_remaining = 186
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 134 ssl, state 0x17
> association_find: TCP port 53499 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes,
> remaining 139
> pre master encrypted[128]:
> 1b d8 4a 14 29 9b cf 00 6e 00 80 74 3f 9c fc ba
> bf 13 35 dd 95 7a da d3 7e 05 31 55 af c2 c0 ac
> bb 5a 36 fc 2c 91 c9 01 7f 6f 61 41 ab 5f 02 66
> 22 52 00 6f 3f 3b e5 ba d3 5b 65 44 46 5e d4 66
> ab 95 fd 22 e7 fe df d7 cf 24 7e 75 c1 75 99 cb
> 92 77 e7 f4 6c a6 87 87 ce 84 8f 1b 96 da cf 02
> cd f3 9d b1 83 e9 3b a3 1f a3 dc 86 cc 74 9f 49
> bb 9e 51 32 2c e0 62 82 1c 9f 4a 4d 24 98 de 0d
> ssl_decrypt_pre_master_secret:RSA_private_decrypt
> pcry_private_decrypt: stripping 0 bytes, decr_len zd
> decrypted_unstrip_pre_master[128]:
> 57 7b 54 a0 43 99 68 22 78 a5 fc 7d 6e f4 da 9f
> a8 e8 7c 3f e9 93 02 de ab 17 2f 1d f5 73 f5 f1
> a5 8a 1d f7 ff 75 58 8a 65 49 7a 36 5a 01 cd a3
> 72 d9 e1 5d 2d f8 6f a3 ce 86 c9 5c d7 5a 42 77
> 06 fe 8b ac 34 7d 3a 0d 07 d1 bf 26 ef 0e 35 39
> 88 29 75 53 5b d8 91 1a 64 a3 a0 f8 71 71 77 f0
> 9f 68 fd 81 c6 ec 77 ef 24 af f8 a0 dc c3 9b 5f
> a4 52 ec db 9a 2c 30 7a 94 39 8e eb 68 e7 38 35
> ssl_decrypt_pre_master_secret wrong pre_master_secret length (128,
> expected 48)
> dissect_ssl3_handshake can't decrypt pre master secret
>  record: offset = 139, reported_length_remaining = 47
> dissect_ssl3_record: content_type 20
> dissect_ssl3_change_cipher_spec
> association_find: TCP port 53499 found 00000000
> packet_from_server: is from server - FALSE
> ssl_change_cipher CLIENT
>  record: offset = 145, reported_length_remaining = 41
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 36 ssl, state 0x17
> association_find: TCP port 53499 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 240 offset 150 length 3164633
> bytes, remaining 186
>
> dissect_ssl enter frame #322 (first time)
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe