Wireshark-users: Re: [Wireshark-users] need help with decrypting ssl messages
From: Al <[email protected]>
Date: Thu, 14 Oct 2010 13:29:54 -0700 (PDT)
Doug,

1.Yes. I started up wireshark listening only on the server ip and it records everything with "client hello"

2. yes but it is blank. Actually the protocol is only TCP, SSLv2, TLSV1

i also found this message:

decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material

It seems the server decoder isn't available - how do i make it available or select some other decoder? 

Also another question... When I am listening on the ip I as client am sending files like 2-3megs. I browsed through the wireshark frames but i dont really see anything that's that big... i am curious as to whether the data's size isn't being shown or the file was never transmitted? 

thanks

--- On Thu, 10/14/10, Burks, Doug <[email protected]> wrote:

> From: Burks, Doug <[email protected]>
> Subject: Re: [Wireshark-users] need help with decrypting ssl messages
> To: "Community support list for Wireshark" <[email protected]>
> Date: Thursday, October 14, 2010, 3:47 PM
> Your preferences config looks correct
> (it should be "http" NOT "https").
> 
> 
> Two questions:
> 1.  Does your capture contain the ENTIRE conversation
> (including the
> Client Hello)?
> 2.  Have you tried "Follow SSL Stream" instead of
> "Follow TCP Stream"?
> 
> Regards,
> --
> Doug Burks, GSE, CISSP
> 
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]
> On Behalf Of Al
> Sent: Thursday, October 14, 2010 3:15 PM
> To: [email protected]
> Subject: [Wireshark-users] need help with decrypting ssl
> messages
> 
> 
>  I followed a guide where I extracted
>  my private key and insert it into the SSL from
> wireshark  preferences
> like:
>  
>  123.456.55.678,443,http,C:\testkey.pem
>  
>  I tried both http and https - i thought since i am
> talking  to server
> in https it might be https? Anyway, both failed to 
> decrypt (still see
> jargon raw data when i view TCP stream.
>  The debug log gives me:
>  
>  
>  ssl_association_remove removing TCP 443 - http handle
>  03164D48
>  ssl_init keys string:
>  123.456.55.678,443,http,C:\testkey.pem
>  ssl_init found host entry
>  123.456.55.678,443,http,C:\testkey.pem
> ssl_init addr '123.456.55.678' port '443' filename 
> 'C:\testkey.pem'
> password(only for p12 file) '(null)'
>  Private key imported: KeyID
>  01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:...
>  ssl_init private key file C:\testkey.pem
> successfully  loaded
> association_add TCP port 443 protocol http handle 03164D48
>  
>  dissect_ssl enter frame #4 (first time)
>  ssl_session_init: initializing ptr 04E41BAC size 584
>    conversation = 04E41868, ssl_session =
> 04E41BAC
>    record: offset = 0,
> reported_length_remaining = 100
>  packet_from_server: is from server - FALSE 
> ssl_find_private_key server
> 123.456.55.678:443  client random len: 32 padded to
> 32
> dissect_ssl2_hnd_client_hello found CLIENT RANDOM
> ->  state 0x01
> ........
>  
>  
>  So it seems the key has been found and loaded BUT when
> i  check the
> STOPPED TCP stream it is still all jargon... what  am
> i doing wrong
> here? thanks
>  
>  I am pretty sure i am on the right server since the key is
> loaded and i
> checked netstat and found the ip of the webservice... but
> still from
> wire shark the client basically does handshake and cert
> check with
> server and then afterwards server just sends "fin" and ends
> it....
> really not sure whats going on here...
>  
>  
>        
>  
> 
> 
>       
> ________________________________________________________________________
> ___
> Sent via:    Wireshark-users mailing list
> <[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>  
> mailto:[email protected]?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <[email protected]>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>          
>    mailto:[email protected]?subject=unsubscribe
>