Wireshark-users: Re: [Wireshark-users] Problem deciphering an openssl stream
From: Marco Simone Zuppone <[email protected]>
Date: Thu, 7 Oct 2010 12:28:31 +0100
Hello,
 
sorry I have one question: whay you are using ip 0.0.0.0 and port 0??
You should use the IP of the web server and the port used by the HTTP(S) stream: normally 443.
 Regards,
Marco S. Zuppone

On Thu, Oct 7, 2010 at 12:15 PM, Philippe Fremy <[email protected]> wrote:

(re-sending, it seems that my first mail did not get through)

Hi,

I tried everything I could think of, but I still can't decipher the SSL
stream from my server.

Any help would be really appreciated.

I am running WireShark Version 1.0.1 (SVN Rev 25639) on Windows XP.

I've got the private key of the certificate exported in the PEM format,
not ciphered. It begins with:

-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQC6igE7s9qXN+PXa0mFQKTIrr7lZM/j+QQwd1FBK7Awy2+dTrlY

I've set Wireshark SSL to use it:
0.0.0.0,0,http,w:\open-privatekey.pem

and a debug log file:
d:\philippe\wireshark-ssl.log

I've captured the traffic remotely with:
sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap

When I load it in wireshark, it's not decoded. Looking at the debug log
output, I have:

ssl_init keys string:
0.0.0.0,0,http,w:\open-privatekey.pem
ssl_init found host entry 0.0.0.0,0,http,w:\open-privatekey.pem
ssl_init addr '0.0.0.0' port '0' filename 'w:\open-privatekey.pem'
password(only for p12 file) '(null)'
ssl_init private key file w:\open-privatekey.pem successfully loaded
association_add TCP port 0 protocol http handle 02C154C8
association_find: TCP port 993 found 03B164C0
ssl_association_remove removing TCP 993 - imap handle 02B39B88
association_add TCP port 993 protocol imap handle 02B39B88
association_find: TCP port 995 found 03B16500
ssl_association_remove removing TCP 995 - pop handle 037FBA10
association_add TCP port 995 protocol pop handle 037FBA10

For the first packets concerning my server, I get:

dissect_ssl enter frame #166 (first time)
ssl_session_init: initializing ptr 04804DA8 size 564
association_find: TCP port 46705 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 212.117.xx.yy:443
dissect_ssl can't find private key for this server! Try it again with
universal port 0
dissect_ssl can't find private key for this server (universal port)! Try
it again with universal address 0.0.0.0
dissect_ssl can't find any private key!
 conversation = 04804BD0, ssl_session = 04804DA8
client random len: 16 padded to 32

I don't get why Wireshark can not find the key in this case.

dissect_ssl enter frame #167 (first time)
 conversation = 04804BD0, ssl_session = 04804DA8
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 927 ssl, state 0x11
association_find: TCP port 443 found 03ADCDD8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes,
remaining 932
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 bytes,
remaining 932
dissect_ssl3_handshake iteration 0 type 14 offset 928 length 0 bytes,
remaining 932

And I don't get why there is not enough data to generate the key.

Any help really welcome.

cheers,

Philippe







___________________________________________________________________________
Sent via:    Wireshark-users mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:[email protected]?subject=unsubscribe