This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to decrypt SSL traffic inside Wireshark

Wireshark setup is using: 192.168.2.60(server),443(port),http(protocol - have also tried data) and associated private key

SSL decrypt log/output:

========================================================

ssl_association_remove removing TCP 443 - data handle 0375D520
Private key imported: KeyID 9a:64:14:cf:59:cf:a1:7a:55:4b:fb:c1:c4:66:b3:35:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.2.60' (192.168.2.60) port '443' filename 'C:\theta\theta2.rsa.pem' password(only for p12 file) ''
ssl_init private key file C:\theta\theta2.rsa.pem successfully loaded.
association_add TCP port 443 protocol data handle 0375D520

dissect_ssl enter frame #114 (first time)
ssl_session_init: initializing ptr 05AE73E8 size 588
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 240, ssl state 0x00
association_find: TCP port 44256 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 236 bytes, remaining 245 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.2.60:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #153 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 2045
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 2040, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 2045 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0016 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 79 length 1530 bytes, remaining 2045 
dissect_ssl3_handshake iteration 0 type 12 offset 1613 length 424 bytes, remaining 2045 
dissect_ssl3_handshake iteration 0 type 14 offset 2041 length 0 bytes, remaining 2045

dissect_ssl enter frame #156 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 158
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 102, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, remaining 107 
ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 107, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 113, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 8 offset 118 length 11577009 bytes, remaining 158

dissect_ssl enter frame #187 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER

dissect_ssl enter frame #188 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 67 offset 5 length 5141154 bytes, remaining 45

dissect_ssl enter frame #190 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 170
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 24, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 44256 found 00000000
association_find: TCP port 443 found 07550E50
  record: offset = 29, reported_length_remaining = 141
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 136, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 44256 found 00000000
association_find: TCP port 443 found 07550E50

dissect_ssl enter frame #191 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 461
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 456, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 07550E50

dissect_ssl enter frame #192 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 1357
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1352, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 07550E50

dissect_ssl enter frame #194 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 29
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 24, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #197 (first time)
  conversation = 05AE6F64, ssl_session = 05AE73E8
  record: offset = 0, reported_length_remaining = 29
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 24, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

asked 11 Dec '12, 19:08

jeremycook123's gravatar image

jeremycook123
1111
accept rate: 0%


The SSL session is using the DH key exchange algorithm which can't be decrypted, the debug log shows this with the line:

ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt

If you can set the server or the client to use a different cipher suite that doesn't use DH then SSL decryption should work. You will have to search elsewhere to determine how to set the cipher suite for your server and client.

See the SSL Wiki page for more info.

permanent link

answered 12 Dec '12, 02:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620

question asked: 11 Dec '12, 19:08

question was seen: 9,500 times

last updated: 12 Dec '12, 02:53

p​o​w​e​r​e​d by O​S​Q​A