This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot successfully supply Master Secret and Session ID for SSL Decryption?

0

After capturing some SSL traffic (using tcpdump on an embedded linux system), I'm attempting to decrypt the traffic from the dumpfile using Wireshark (I've tried both v1.8.1 on linux and v1.8.2 on Win32).

The Session-ID was taken from the packet capture and the master secret was obtained from the memory of an application executing on the embedded system.

My file key file looks like

RSA Session-ID:D5407D99D48D4D094871F9938EF28F284C80ADA4F86EA96E75AB8E4E9374C7D6 Master-Key:26D5441D31A01A98C8C12140DE5312E3905E0619351D25A906152FAB9834ABC2CFBA14C11841447ECB175646185F3FB8

With the obligatory newline afterwards.

I've selected "data" as the protocol (as I'm not sure what protocol lies inside the session--though most likely XML), but when applied, I get an error of "Can't load private key from /root/dump.test.ms" on the console and "ssl_load_key: can't import pem data" in the ssl.debug file.

It almost seems as if wireshark is treating the keyfile as an RSA/X.509 key and not the session & master secret?

Furthermore, if the master secret were incorrect, I would still expect wireshark to "decrypt" the data and present that in the view as decrypted.

Any pointers or thoughts would be appreciated.

asked 08 Sep '12, 14:33

puffdaddy's gravatar image

puffdaddy
26111
accept rate: 100%

puffdaddy ... I need to Get Session-ID and Master-Secret for a win32 c++ application For Decrypting SSL/TLS trafic. How you get the Session-ID and Master-Secret. Witch Software did you used. Could you please point me to a right direction ?

(04 Aug '14, 09:30) izeid

One Answer:

0

To answer my own question, this was simple user error, as I didn't understand that the SSL Protocol dialog provided an input for RSA sever keys, and a separate method to input Session-IDs and Master-Secrets (i.e. Edit->Preferences->Protocols->SSL-> "(Pre)-Master-Secret log filename:", and the file that you specify there should contain separate lines with the RSA Session-ID:D5407D99D48D4D094871F9938EF28F284C80ADA4F86EA96E75AB8E4E9374C7D6 Master-Key:26D5441D31A01A98C8C12140DE5312E3905E0619351D25A906152FAB9834ABC2CFBA14C11841447ECB175646185F3FB8 syntax.

After adding my file in that fashion, I needed to restart wireshark, and then (after the restart--which seemed to perhaps allow wireshark to load and posses the secrets contained in that file) I was able to then select "Follow SSL stream" and view the decrypted stream.

Cheers!

answered 11 Sep '12, 11:11

puffdaddy's gravatar image

puffdaddy
26111
accept rate: 100%