This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypt SSL traffic problem because of DHE Cipher

0

Decrypt SSL traffic problem because of DHE Cipher

Hi,

I read a lot about Wireshark and decrypting SSL using the private key. I read most of the post SYN-bit wrote, and saw his presentations he did @Sharkfest.

I just want to know, how can I create a SSL certificate without the DHE cipher in it? I went through lots of doc. and man pages, but still can't figure it out.

I use wireshark 1.6.6, and am unable to decrypt the traffic I capture.

regards,

asked 18 Aug '12, 15:27

sha8e's gravatar image

sha8e
6115
accept rate: 0%


3 Answers:

1

In the files that you sent me, the server has address 127.0.1.1 and not 127.0.0.1, so you need to fill in 127.0.1.1 in the SSL preferences to make it work...

answered 19 Aug '12, 05:06

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Man I've been working since yesterday, I never ever noticed that. This really makes me sad :(

I'm very sorry I took your precious time to solve a dumb case like this.

BTW, why was Wireshark unable to capture the password sent between the client and server? I can see the response from the php application in the captures, but I'm unable to see the username/password I sent to login!

Thank you very much SYN-bit.

(19 Aug '12, 05:22) sha8e

1

t is not the certificate that has a DHE cipher in it. The client presents a list of ciphers it supports and then the server choses one of those ciphers that it supports. The way to make sure that a non-DH cipher is used, you can either limit the supported ciphers on the client or limit the supported ciphers on the server.

If you use Firefox, you can type "about:config" in the location bar and then do a search on "dh" and disable all DH ciphers. On the server part it depends on your server type. In Apache you can use something like "SSLCipherSuite ALL:!DH".

answered 18 Aug '12, 16:10

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for your quick reply. I disabled all that as you told me. Still I'm unable to do the test.

What I did is the following: openssl req -new -x509 -out server.pem -nodes -keyout privkey.pem

Copied them to /etc/ssl/private & chmod 400 them.

Configured Apache2 with the following: SSLCertificateFile /etc/ssl/private/privkey.pem SSLCertificateKeyFile /etc/ssl/private/server.pem

All other SSL Apache directives are commented, except the SSLEngine is on.

Now I ran Wireshark and connected to the website (locally server). I first got this notification from firefox that the certificate is self-signed and requires an exception from me to be added. I did that, and the website opened.

All that traffic was captured in Wireshark. I added the following to the ~/.wireshark/ssl_keys "server.local","443","http","/etc/ssl/private/server.pem"

All other configurations you talked about in other posts was done too, such as debug and restarting Wireshark.

But till now there is no decrypted traffic seen in Wireshark. What do you think is the problem?

I appreciate all the time and efforts you do in helping me and others.

Regards,

(18 Aug '12, 16:27) sha8e

(I converted your answer to a comment, please reread the FAQ :-))

All that traffic was captured in Wireshark. I added the following to the ~/.wireshark/ssl_keys "server.local","443","http","/etc/ssl/private/server.pem"

I have not tried myself, but I believe there is no name resolution in the SSL key settings, so you need to configure the IP address of your local server. Also you need to use the private key instead of the certificate. You will have an entry like this:

"<ip-of-server>","443","http","/etc/ssl/private/privkey.pem"
(19 Aug '12, 00:24) SYN-bit ♦♦

I had to add my last reply as a reply because of the chars. left in comments :(

That was a typo SYN-bit, my config is indeed like this: "server.local","443","http","/etc/ssl/private/privkey.pem"

I also have server.local configured in my /etc/hosts: 127.0.0.1 server.local

Is that what you mean? And do you think the problem is with Firefox? I'll give it a try using the openssl client.

(19 Aug '12, 02:57) sha8e

I did the following:

[email protected]:~# tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/etc/apache2/ssl/privkey.pem" -o "ssl.debug_file: /root/wireshark-log" -i lo -R "tcp.port == 443" Running as user "root" and group "root". This could be dangerous. Capturing on lo

And the output is below in next comment :(

(19 Aug '12, 04:15) sha8e
1

Looking at the source code, hostnames are indeed supported. But only is name resolving is enabled in the settings. Could you try with a hardcoded IP address (127.0.0.1) in the SSL key list instead of the hostname?

Are you able to share your tracefile & key? That would make helping you a lot easier :-)

(19 Aug '12, 04:16) SYN-bit ♦♦

0.000000 127.0.0.1 -> 127.0.0.1 TCP 74 58959 > https [SYN] Seq=0 Win=32792 Len=0 MSS=16396 SACK_PERM=1 TSval=187391094 TSecr=0 WS=16 0.000010 127.0.0.1 -> 127.0.0.1 TCP 74 https > 58959 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=187391094 TSecr=187391094 WS=16 0.000017 127.0.0.1 -> 127.0.0.1 TCP 66 58959 > https [ACK] Seq=1 Ack=1 Win=32800 Len=0 TSval=187391094 TSecr=187391094 0.000216 127.0.0.1 -> 127.0.0.1 SSL 155 Client Hello

(19 Aug '12, 04:17) sha8e

0.000017 127.0.0.1 -> 127.0.0.1 TCP 66 58959 > https [ACK] Seq=1 Ack=1 Win=32800 Len=0 TSval=187391094 TSecr=187391094 0.000216 127.0.0.1 -> 127.0.0.1 SSL 155 Client Hello 0.000231 127.0.0.1 -> 127.0.0.1 TCP 66 https > 58959 [ACK] Seq=1 Ack=90 Win=32768 Len=0 TSval=187391094 TSecr=187391094 0.000553 127.0.0.1 -> 127.0.0.1 SSLv3 1116 Server Hello, Certificate, Server Hello Done 0.000594 127.0.0.1 -> 127.0.0.1 TCP 66 58959 > https [ACK] Seq=90 Ack=1051 Win=34896 Len=0 TSval=187391094 TSecr=187391094

(19 Aug '12, 04:17) sha8e

0.001393 127.0.0.1 -> 127.0.0.1 SSLv3 294 Client Key Exchange, Change Cipher Spec, Finished 0.002275 127.0.0.1 -> 127.0.0.1 SSLv3 157 Change Cipher Spec, Finished 0.009225 127.0.0.1 -> 127.0.0.1 HTTP 156 GET / HTTP/1.1 0.009384 127.0.0.1 -> 127.0.0.1 HTTP 508 HTTP/1.1 400 Bad Request (text/html) 0.009448 127.0.0.1 -> 127.0.0.1 SSLv3 103 Alert (Level: Warning, Description: Close Notify)

(19 Aug '12, 04:17) sha8e

0.009448 127.0.0.1 -> 127.0.0.1 SSLv3 103 Alert (Level: Warning, Description: Close Notify) 0.009504 127.0.0.1 -> 127.0.0.1 TCP 66 https > 58959 [FIN, ACK] Seq=1621 Ack=408 Win=33840 Len=0 TSval=187391096 TSecr=187391096 0.009957 127.0.0.1 -> 127.0.0.1 SSLv3 103 Alert (Level: Warning, Description: Close Notify) 0.010013 127.0.0.1 -> 127.0.0.1 TCP 66 58959 > https [FIN, ACK] Seq=445 Ack=1622 Win=36992 Len=0 TSval=187391096 TSecr=187391096 0.010036 127.0.0.1 -> 127.0.0.1 TCP 66 https > 58959 [ACK] Seq=1622 Ack=446 Win=33840 Len=0 TSval=187391096 TSecr=187391096

(19 Aug '12, 04:18) sha8e

I also did the hardcoded IP but nothing new :(

Sure, I sent you all the files.

Thank you SYN-bit.

(19 Aug '12, 04:43) sha8e
1

Well, the above output shows that you did indeed decrypt the traffic:

0.001393 127.0.0.1 -> 127.0.0.1 SSLv3 294 Client Key Exchange, Change Cipher Spec, Finished

The Finished handshake message would look like "Encrypted Handshake Message" if decryption did not work.

0.002275 127.0.0.1 -> 127.0.0.1 SSLv3 157 Change Cipher Spec, Finished 0.009225 127.0.0.1 -> 127.0.0.1 HTTP 156 GET / HTTP/1.1 0.009384 127.0.0.1 -> 127.0.0.1 HTTP 508 HTTP/1.1 400 Bad Request (text/html)

And here is the HTTP data from within the SSL stream.

(19 Aug '12, 04:59) SYN-bit ♦♦
showing 5 of 11 show 6 more comments

0

And here is the openssl client test:

[email protected]:~# (echo GET / HTTP/1.1; echo ; sleep 1) | openssl s_client -ssl3 -connect 127.0.0.1:443 -cert server.pem -key privkey.pem 
CONNECTED(00000003)
depth=0 /C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
verify return:1
---
Certificate chain
 0 s:/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
   i:/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqDCCAxGgAwIBAgIJAK1kHE4p88WqMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD
VQQGEwJKUDESMBAGA1UECBMJSGlyb3NoaW1hMRIwEAYDVQQHEwlIaXJvc2hpbWEx
DjAMBgNVBAoTBVNIQThFMRkwFwYDVQQLExBUcmFmZmljIEFuYWx5c2lzMRMwEQYD
VQQDEwpidC5mb28ub3JnMR4wHAYJKoZIhvcNAQkBFg9yb290QGJ0LmZvby5vcmcw
HhcNMTIwODE4MTMxMzA5WhcNMTIwOTE3MTMxMzA5WjCBlTELMAkGA1UEBhMCSlAx
EjAQBgNVBAgTCUhpcm9zaGltYTESMBAGA1UEBxMJSGlyb3NoaW1hMQ4wDAYDVQQK
EwVTSEE4RTEZMBcGA1UECxMQVHJhZmZpYyBBbmFseXNpczETMBEGA1UEAxMKYnQu
Zm9vLm9yZzEeMBwGCSqGSIb3DQEJARYPcm9vdEBidC5mb28ub3JnMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQC+1JYCj9tnygdHFPOztVbnztj2zdQRpDMR+xNO
6wYHXL0PpgrKD9N1JVVr1TEqPJb2gTn/mqay9w/npEM4B+XSYFMs38E/cRIEtEDA
QNsS/K5BqB9awwJ3ws8c/V24ZH3eweXd2ucYe4VJY/lDC8OjyOnMbE03X4c38O56
BzG7/QIDAQABo4H9MIH6MB0GA1UdDgQWBBQJntO243wq6c08Rl8ReQlKbNNDdTCB
ygYDVR0jBIHCMIG/gBQJntO243wq6c08Rl8ReQlKbNNDdaGBm6SBmDCBlTELMAkG
A1UEBhMCSlAxEjAQBgNVBAgTCUhpcm9zaGltYTESMBAGA1UEBxMJSGlyb3NoaW1h
MQ4wDAYDVQQKEwVTSEE4RTEZMBcGA1UECxMQVHJhZmZpYyBBbmFseXNpczETMBEG
A1UEAxMKYnQuZm9vLm9yZzEeMBwGCSqGSIb3DQEJARYPcm9vdEBidC5mb28ub3Jn
ggkArWQcTinzxaowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAvBloE
YBE6FqJl+/CCrKDQz1Skb/qlaBh3JM/uOQ3Ua8PY+5jTYmnuEQ6kX+cDROtSynP8
B4EBgMUkwkWuwRN7ajG6tW4aG6YorwQstmNGGuBXMQzQ60atXK/9+319dcYQjUOJ
dtvEuKthSxv8S8GSblHNHB3/kNtlkhqr9ZSFVw==
-----END CERTIFICATE-----
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
issuer=/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1141 bytes and written 317 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 32CEC84CCD0AF087BE51A677BAD15639983FC4FCEE45D8110F0989E14C7821EE
    Session-ID-ctx: 
    Master-Key: 7377D1ECBEF3A21E4034B7FD457074AD3C71312C85E7283757A5D84B5580C7F69EF734476B95045EC435360C03053ADF
    Key-Arg   : None
   Compression: 1 (zlib compression)
    Start Time: 1345330539
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
HTTP/1.1 400 Bad Request
Date: Sat, 18 Aug 2012 22:55:39 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 303
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.2.14 (Ubuntu) Server at server.local Port 443</address> </body></html> closed

answered 19 Aug ‘12, 04:21

sha8e's gravatar image

sha8e
6115
accept rate: 0%

edited 19 Aug ‘12, 04:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

Here is the test: http://www.cloudshark.org/captures/dc99a1e082b6

I will send you keys, and other stuff @email. I hope that’s fine with you.

Thank you very much for your time in helping me out. I really appreciate that.

(19 Aug ‘12, 04:38) sha8e

I noticed its saying:

Continuation or non-HTTP traffic[Malformed Packet]

I think this is the HTTP POST. But strange, why is Wireshark seeing it like that!

(19 Aug ‘12, 05:56) sha8e
1

For some reason the first byte of the request gets sent in one SSL record and the rest of the request is sent in another SSL record. Somehow Wireshark has problems re-assembling those parts. This is probably a bug. I’ll try to find some time to have a look at it, but don’t wait up for me ;-)

(19 Aug ‘12, 06:10) SYN-bit ♦♦

Do you want me to file a bug report or something? This is very important to me, I will wait for you, because no one maybe knows about it, except you :D

Thank you SYN-bit

(19 Aug ‘12, 13:11) sha8e
1

No need to file a bug-report. I found the issue and fixed it in SVN 44593.

In a couple of hours you can download an automated built from http://www.wireshark.org/download/automated/ (please pick a file with a version number of 44953 or higher). Or you can wait for the next official release in which the fix will be included.

(19 Aug ‘12, 16:55) SYN-bit ♦♦

Thank you SYN-bit, I think I’ll wait for the official release better than screwing up my current system with compilation issues :)

I hope the builders for Linux won’t take long in doing the update.

Your help was very grateful, you not only helped me, but I learned lots from you and your comments to other posts, plus your precious presentations.

Wish you good luck always.

(20 Aug ‘12, 03:35) sha8e

You are very welcome. I extracted my comments to a new answer, as it might help others :-)

If you feel your question is answered, please accept the asnwer that did indeed answer your question best by clicking on the check-mark next to it. This will help others and remove your question from the “unanswered questions” list.

(20 Aug ‘12, 09:42) SYN-bit ♦♦

You’re the boss, anything you say. I marked it as answered even though honestly most of your replies were part of the whole answer. So how can I mark them all :$

(20 Aug ‘12, 09:56) sha8e

Hola, I just downloaded the new version of Wireshark 1.8.1, and it still doesn’t capture the first POST packet! SYN-bit did you test it?

(21 Aug ‘12, 16:47) sha8e

That’s because 1.8.1 was already released before I committed the change. You will have to wait until 1.8.2 comes out. Or use one of the automated builds from http://www.wireshark.org/download/automated/

(21 Aug ‘12, 22:23) SYN-bit ♦♦
showing 5 of 10 show 5 more comments