(re-sending, it seems that my first mail did not get through)
Hi,
I tried everything I could think of, but I still can't decipher the SSL
stream from my server.
Any help would be really appreciated.
I am running WireShark Version 1.0.1 (SVN Rev 25639) on Windows XP.
I've got the private key of the certificate exported in the PEM format,
not ciphered. It begins with:
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQC6igE7s9qXN+PXa0mFQKTIrr7lZM/j+QQwd1FBK7Awy2+dTrlY
I've set Wireshark SSL to use it:
0.0.0.0,0,http,w:\open-privatekey.pem
and a debug log file:
d:\philippe\wireshark-ssl.log
I've captured the traffic remotely with:
sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap
When I load it in wireshark, it's not decoded. Looking at the debug log
output, I have:
ssl_init keys string:
0.0.0.0,0,http,w:\open-privatekey.pem
ssl_init found host entry 0.0.0.0,0,http,w:\open-privatekey.pem
ssl_init addr '0.0.0.0' port '0' filename 'w:\open-privatekey.pem'
password(only for p12 file) '(null)'
ssl_init private key file w:\open-privatekey.pem successfully loaded
association_add TCP port 0 protocol http handle 02C154C8
association_find: TCP port 993 found 03B164C0
ssl_association_remove removing TCP 993 - imap handle 02B39B88
association_add TCP port 993 protocol imap handle 02B39B88
association_find: TCP port 995 found 03B16500
ssl_association_remove removing TCP 995 - pop handle 037FBA10
association_add TCP port 995 protocol pop handle 037FBA10
For the first packets concerning my server, I get:
dissect_ssl enter frame #166 (first time)
ssl_session_init: initializing ptr 04804DA8 size 564
association_find: TCP port 46705 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 212.117.xx.yy:443
dissect_ssl can't find private key for this server! Try it again with
universal port 0
dissect_ssl can't find private key for this server (universal port)! Try
it again with universal address 0.0.0.0
dissect_ssl can't find any private key!
conversation = 04804BD0, ssl_session = 04804DA8
client random len: 16 padded to 32
I don't get why Wireshark can not find the key in this case.
dissect_ssl enter frame #167 (first time)
conversation = 04804BD0, ssl_session = 04804DA8
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 927 ssl, state 0x11
association_find: TCP port 443 found 03ADCDD8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes,
remaining 932
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 bytes,
remaining 932
dissect_ssl3_handshake iteration 0 type 14 offset 928 length 0 bytes,
remaining 932
And I don't get why there is not enough data to generate the key.
Any help really welcome.
cheers,
Philippe
