This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Decrypt SSL traffic

0

Trying to decrypt SSL traffic inside Wireshark

Wireshark setup is using: 192.168.2.60(server),443(port),http(protocol - have also tried data) and associated private key

SSL decrypt log/output:

========================================================

ssl_association_remove removing TCP 443 - data handle 0375D520
Private key imported: KeyID 9a:64:14:cf:59:cf:a1:7a:55:4b:fb:c1:c4:66:b3:35:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.2.60' (192.168.2.60) port '443' filename 'C:\theta\theta2.rsa.pem' password(only for p12 file) ''
ssl_init private key file C:\theta\theta2.rsa.pem successfully loaded.
association_add TCP port 443 protocol data handle 0375D520

dissect_ssl enter frame #114 (first time)
ssl_session_init: initializing ptr 05AE73E8 size 588
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 240, ssl state 0x00
association_find: TCP port 44256 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 236 bytes, remaining 245
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.2.60:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #153 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 2045
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 2040, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 2045
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0016 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 79 length 1530 bytes, remaining 2045
dissect_ssl3_handshake iteration 0 type 12 offset 1613 length 424 bytes, remaining 2045
dissect_ssl3_handshake iteration 0 type 14 offset 2041 length 0 bytes, remaining 2045


dissect_ssl enter frame #156 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 158
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 102, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, remaining 107
ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt
dissect_ssl3_handshake can't decrypt pre master secret
record: offset = 107, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 113, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 8 offset 118 length 11577009 bytes, remaining 158


dissect_ssl enter frame #187 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER


dissect_ssl enter frame #188 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 67 offset 5 length 5141154 bytes, remaining 45


dissect_ssl enter frame #190 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 170
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 24, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 44256 found 00000000
association_find: TCP port 443 found 07550E50
record: offset = 29, reported_length_remaining = 141
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 136, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 44256 found 00000000
association_find: TCP port 443 found 07550E50


dissect_ssl enter frame #191 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 461
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 456, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 07550E50


dissect_ssl enter frame #192 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 1357
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1352, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 07550E50


dissect_ssl enter frame #194 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 29
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 24, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #197 (first time)
conversation = 05AE6F64, ssl_session = 05AE73E8
record: offset = 0, reported_length_remaining = 29
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 24, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

asked 11 Dec ‘12, 19:08

jeremycook123's gravatar image

jeremycook123
1111
accept rate: 0%

One Answer:

1

The SSL session is using the DH key exchange algorithm which can't be decrypted, the debug log shows this with the line:

ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt

If you can set the server or the client to use a different cipher suite that doesn't use DH then SSL decryption should work. You will have to search elsewhere to determine how to set the cipher suite for your server and client.

See the SSL Wiki page for more info.

answered 12 Dec '12, 02:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%