I'm using wireshark to inspect and hopefully decrypt a connection; the encrypted protocol details aren't known. I've set up SSL decryption as instructed at http://wiki.wireshark.org/SSL, but I'm not sure how significant the specification of the embedded protocol is. I tried something like:
x.x.x.x,4001,Data,c:cp.pem or x.x.x.x,4001,http,c:cp.pem
but in both cases wireshark doesn't show me any decrypted data.
I logged to the SSL debug file, below...
ssl_association_remove removing TCP 0 - http handle 044D9EA0
ssl_init keys string:
x.x.x.x,25472,http,c:\cp.pem
ssl_init found host entry x.x.x.x,25472,http,c:\cp.pem
ssl_init addr 'x.x.x.x' port '25472' filename 'c:\cp.pem' password(only for p12 file) '(null)'
Private key imported: KeyID ef:bc:76:41:d5:1b:8d:a4:c1:0a:fa:80:a1:05:bc:30:...
ssl_init private key file c:\cp.pem successfully loaded
association_add TCP port 25472 protocol http handle 044D9EA0
dissect_ssl enter frame #1 (first time)
ssl_session_init: initializing ptr 06161A30 size 584
conversation = 06161868, ssl_session = 06161A30
record: offset = 0, reported_length_remaining = 1
dissect_ssl enter frame #3 (first time)
conversation = 06161868, ssl_session = 06161A30
record: offset = 0, reported_length_remaining = 106
dissect_ssl3_record found version 0x0300 -> state 0x10
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010
record: offset = 37, reported_length_remaining = 69
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 64, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010
dissect_ssl enter frame #4 (first time)
conversation = 06161868, ssl_session = 06161A30
record: offset = 0, reported_length_remaining = 1
need_desegmentation: offset = 0, reported_length_remaining = 1
dissect_ssl enter frame #6 (first time)
conversation = 06161868, ssl_session = 06161A30
record: offset = 0, reported_length_remaining = 106
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010
record: offset = 37, reported_length_remaining = 69
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 64, ssl state 0x10
association_find: TCP port 55036 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 55036 found 00000000
association_find: TCP port 25472 found 05CAC010
dissect_ssl enter frame #14 (first time)
ssl_session_init: initializing ptr 0616259C size 584
conversation = 06162258, ssl_session = 0616259C
record: offset = 0, reported_length_remaining = 72
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 67, ssl state 0x00
association_find: TCP port 55148 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 63 bytes, remaining 72
packet_from_server: is from server - FALSE
ssl_find_private_key server x.x.x.x:25472
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #27 (first time)
conversation = 06162258, ssl_session = 0616259C
record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0035 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
record: offset = 79, reported_length_remaining = 1381
need_desegmentation: offset = 79, reported_length_remaining = 1381
dissect_ssl enter frame #28 (first time)
conversation = 06162258, ssl_session = 0616259C
record: offset = 0, reported_length_remaining = 1877
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 1854, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1850 bytes, remaining 1859
record: offset = 1859, reported_length_remaining = 18
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 13, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1864 length 5 bytes, remaining 1877
dissect_ssl3_handshake iteration 0 type 14 offset 1873 length 0 bytes, remaining 1877
dissect_ssl enter frame #30 (first time)
conversation = 06162258, ssl_session = 0616259C
record: offset = 0, reported_length_remaining = 1460
need_desegmentation: offset = 0, reported_length_remaining = 1460
dissect_ssl enter frame #31 (first time)
conversation = 06162258, ssl_session = 0616259C
record: offset = 0, reported_length_remaining = 2498
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 1886, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1882 bytes, remaining 1891
record: offset = 1891, reported_length_remaining = 607
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 260, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 1896 length 256 bytes, remaining 2156
pre master encrypted[256]:
97 09 d7 2f d8 da 1d 3f 60 55 d5 fa 95 e0 1b 94
dd f6 48 4b 0c 82 aa 2f f2 b0 5e 7d a0 60 b8 2c
30 54 4d 26 d1 a8 3a fc 00 87 fa bd a3 0e 73 b0
35 34 65 09 30 8b 60 67 77 5a 24 76 9b 12 d1 91
75 80 f9 09 af f3 1c 24 64 df d1 43 10 90 63 b6
44 3c 03 0d a5 81 6d 3f 29 7f 25 0e 19 83 f8 5e
25 9e 6c c1 f8 18 25 ab f0 7e e8 aa 50 29 22 1a
94 bf 32 f2 a3 4f a9 44 6e 96 10 13 c7 31 7e 7a
cc d2 6d e6 f2 24 ee 59 d9 bf 08 86 2f fe 2d 79
6a 94 0c 51 65 75 f6 ec 1d 18 bd 8f c7 90 ec d9
08 f5 f6 a7 9e 56 42 8f 28 7e 4c c1 00 d4 0e 34
6d 60 7c 74 33 09 2f d9 74 d2 e5 32 b0 ae ce 25
f3 eb 55 78 e9 c5 e9 61 64 89 9b f3 5d 62 aa 1c
88 6a 6d 30 71 1c 1b 17 00 42 6b 12 9b 0f 56 90
5f d7 98 5e a6 27 94 2a 25 ab 95 3c d2 ec 5f 07
1e dd ee 8c e6 ae 8d e2 c7 da 84 06 14 49 1c c2
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 211 bytes, decr_len 256
decrypted_unstrip_pre_master[256]:
03 1f 7d de 96 11 d5 0e ee 86 c6 87 b8 d8 44 69
61 06 d3 1f 36 57 87 22 58 60 3f b5 08 e9 37 6e
08 15 39 e1 9b d8 24 b2 b7 61 c3 15 51 cc 2a 6b
65 ce 89 d9 59 28 a0 f6 a9 24 70 f9 35 77 c2 07
a1 66 49 11 0c 1c 0b 1a 4e eb ac 14 91 95 4f 77
9f 07 45 09 cc 69 55 c3 19 9a d7 92 bc 02 45 bc
6d 42 59 fd 7a ed c3 07 35 20 05 a3 35 3c d1 35
03 bd a8 68 89 31 50 24 28 2f db 5f 20 26 6e 0d
82 6d 93 fe b3 c1 fb b4 4d 9d 3a 8c 9e d1 5b 81
19 8a 93 16 ab 6e 6f 56 59 cb 99 14 46 6d 1a 18
0b 72 a7 c7 cd f7 6c 62 42 b5 bb d5 6c 65 0a 19
0e 44 38 b7 03 90 07 c9 2b 81 a1 03 4f 55 fa ec
71 ec 70 c6 76 0d 80 36 6d 88 06 88 8c 45 83 6d
72 77 00 5b fc 83 fd 54 75 32 b8 99 89 6e c5 02
f4 12 67 2a 4e ba 0d 09 63 f5 f7 5b 54 f1 6d 87
21 ea 25 a0 8f 24 1b 6a 0a c7 7c 72 74 6f a8 65
ssl_decrypt_pre_master_secret wrong pre_master_secret length (45, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
record: offset = 2156, reported_length_remaining = 342
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 15 offset 2161 length 258 bytes, remaining 2423
record: offset = 2423, reported_length_remaining = 75
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 2429, reported_length_remaining = 69
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 64, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 6 offset 2434 length 4099005 bytes, remaining 2498
(rest of ssl debug output deleted by SYNbit to enhance readability)
asked 17 Dec ‘10, 11:59
dwhsix
1●1●1●3
accept rate: 0%
edited 18 Dec ‘10, 00:50
SYN-bit ♦♦
17.1k●9●57●245
Yeah, I suspect that's probably the case and I wondered if that's what that debug entry meant.
A little puzzled, because I'm pretty sure it's the correct private key. But obviously not... I'll dig a little more.
Thanks!
In my presentation I show how you can check if the two match... :-)