Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Problem deciphering an openssl stream

From: Philippe Fremy <phil@xxxxxxxxxxxxxxx>
Date: Thu, 07 Oct 2010 14:49:59 +0200
Hi Marco,

Marco Simone Zuppone wrote:
> Hello,
>  
> sorry I have one question: whay you are using ip 0.0.0.0 and port 0??

I am doing that because that's what the log file recommends:
dissect_ssl can't find private key for this server! Try it again with
universal port 0
dissect_ssl can't find private key for this server (universal port)!
Try it again with universal address 0.0.0.0

It's probably not the problem, but at least it rules out the possibility
that the problem is about matching the private key with the right server IP.

> You should use the IP of the web server and the port used by the HTTP(S)
> stream: normally 443.

I did that as well, but it does not improve my situation.

cheers,

Philippe

>  Regards,
> Marco S. Zuppone
> 
> On Thu, Oct 7, 2010 at 12:15 PM, Philippe Fremy <phil@xxxxxxxxxxxxxxx
> <mailto:phil@xxxxxxxxxxxxxxx>> wrote:
> 
> 
>     (re-sending, it seems that my first mail did not get through)
> 
>     Hi,
> 
>     I tried everything I could think of, but I still can't decipher the SSL
>     stream from my server.
> 
>     Any help would be really appreciated.
> 
>     I am running WireShark Version 1.0.1 (SVN Rev 25639) on Windows XP.
> 
>     I've got the private key of the certificate exported in the PEM format,
>     not ciphered. It begins with:
> 
>     -----BEGIN RSA PRIVATE KEY-----
>     MIICXwIBAAKBgQC6igE7s9qXN+PXa0mFQKTIrr7lZM/j+QQwd1FBK7Awy2+dTrlY
> 
>     I've set Wireshark SSL to use it:
>     0.0.0.0,0,http,w:\open-privatekey.pem
> 
>     and a debug log file:
>     d:\philippe\wireshark-ssl.log
> 
>     I've captured the traffic remotely with:
>     sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap
> 
>     When I load it in wireshark, it's not decoded. Looking at the debug log
>     output, I have:
> 
>     ssl_init keys string:
>     0.0.0.0,0,http,w:\open-privatekey.pem
>     ssl_init found host entry 0.0.0.0,0,http,w:\open-privatekey.pem
>     ssl_init addr '0.0.0.0' port '0' filename 'w:\open-privatekey.pem'
>     password(only for p12 file) '(null)'
>     ssl_init private key file w:\open-privatekey.pem successfully loaded
>     association_add TCP port 0 protocol http handle 02C154C8
>     association_find: TCP port 993 found 03B164C0
>     ssl_association_remove removing TCP 993 - imap handle 02B39B88
>     association_add TCP port 993 protocol imap handle 02B39B88
>     association_find: TCP port 995 found 03B16500
>     ssl_association_remove removing TCP 995 - pop handle 037FBA10
>     association_add TCP port 995 protocol pop handle 037FBA10
> 
>     For the first packets concerning my server, I get:
> 
>     dissect_ssl enter frame #166 (first time)
>     ssl_session_init: initializing ptr 04804DA8 size 564
>     association_find: TCP port 46705 found 00000000
>     packet_from_server: is from server - FALSE
>     dissect_ssl server 212.117.xx.yy:443
>     dissect_ssl can't find private key for this server! Try it again with
>     universal port 0
>     dissect_ssl can't find private key for this server (universal port)! Try
>     it again with universal address 0.0.0.0
>     dissect_ssl can't find any private key!
>      conversation = 04804BD0, ssl_session = 04804DA8
>     client random len: 16 padded to 32
> 
>     I don't get why Wireshark can not find the key in this case.
> 
>     dissect_ssl enter frame #167 (first time)
>      conversation = 04804BD0, ssl_session = 04804DA8
>     dissect_ssl3_record found version 0x0301 -> state 0x11
>     dissect_ssl3_record: content_type 22
>     decrypt_ssl3_record: app_data len 927 ssl, state 0x11
>     association_find: TCP port 443 found 03ADCDD8
>     packet_from_server: is from server - TRUE
>     decrypt_ssl3_record: using server decoder
>     decrypt_ssl3_record: no decoder available
>     dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes,
>     remaining 932
>     dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
>     dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
>     dissect_ssl3_hnd_srv_hello not enough data to generate key (required
>     0x37)
>     dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 bytes,
>     remaining 932
>     dissect_ssl3_handshake iteration 0 type 14 offset 928 length 0 bytes,
>     remaining 932
> 
>     And I don't get why there is not enough data to generate the key.
> 
>     Any help really welcome.
> 
>     cheers,
> 
>     Philippe
> 
> 
> 
> 
> 
> 
> 
>     ___________________________________________________________________________
>     Sent via:    Wireshark-users mailing list
>     <wireshark-users@xxxxxxxxxxxxx <mailto:wireshark-users@xxxxxxxxxxxxx>>
>     Archives:    http://www.wireshark.org/lists/wireshark-users
>     Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>                 mailto:wireshark-users-request@xxxxxxxxxxxxx
>     <mailto:wireshark-users-request@xxxxxxxxxxxxx>?subject=unsubscribe
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe