Wireshark-users: [Wireshark-users] Problem deciphering an openssl stream
From: Philippe Fremy <[email protected]>
Date: Thu, 07 Oct 2010 13:15:13 +0200
(re-sending, it seems that my first mail did not get through)


I tried everything I could think of, but I still can't decipher the SSL
stream from my server.

Any help would be really appreciated.

I am running WireShark Version 1.0.1 (SVN Rev 25639) on Windows XP.

I've got the private key of the certificate exported in the PEM format,
not ciphered. It begins with:


I've set Wireshark SSL to use it:,0,http,w:\open-privatekey.pem

and a debug log file:

I've captured the traffic remotely with:
sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap

When I load it in wireshark, it's not decoded. Looking at the debug log
output, I have:

ssl_init keys string:,0,http,w:\open-privatekey.pem
ssl_init found host entry,0,http,w:\open-privatekey.pem
ssl_init addr '' port '0' filename 'w:\open-privatekey.pem'
password(only for p12 file) '(null)'
ssl_init private key file w:\open-privatekey.pem successfully loaded
association_add TCP port 0 protocol http handle 02C154C8
association_find: TCP port 993 found 03B164C0
ssl_association_remove removing TCP 993 - imap handle 02B39B88
association_add TCP port 993 protocol imap handle 02B39B88
association_find: TCP port 995 found 03B16500
ssl_association_remove removing TCP 995 - pop handle 037FBA10
association_add TCP port 995 protocol pop handle 037FBA10

For the first packets concerning my server, I get:

dissect_ssl enter frame #166 (first time)
ssl_session_init: initializing ptr 04804DA8 size 564
association_find: TCP port 46705 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 212.117.xx.yy:443
dissect_ssl can't find private key for this server! Try it again with
universal port 0
dissect_ssl can't find private key for this server (universal port)! Try
it again with universal address
dissect_ssl can't find any private key!
  conversation = 04804BD0, ssl_session = 04804DA8
client random len: 16 padded to 32

I don't get why Wireshark can not find the key in this case.

dissect_ssl enter frame #167 (first time)
  conversation = 04804BD0, ssl_session = 04804DA8
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 927 ssl, state 0x11
association_find: TCP port 443 found 03ADCDD8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes,
remaining 932
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 bytes,
remaining 932
dissect_ssl3_handshake iteration 0 type 14 offset 928 length 0 bytes,
remaining 932

And I don't get why there is not enough data to generate the key.

Any help really welcome.