This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Decrypt SSL traffic

0

Trying to decrypt SSL traffic inside Wireshark

Wireshark setup is using: 192.168.2.60(server),443(port),http(protocol - have also tried data) and associated private key

SSL decrypt log/output:

========================================================

ssl_association_remove removing TCP 443 - data handle 0375D520
Private key imported: KeyID 9a:64:14:cf:59:cf:a1:7a:55:4b:fb:c1:c4:66:b3:35:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.2.60' (192.168.2.60) port '443' filename 'C:\theta\theta2.rsa.pem' password(only for p12 file) ''
ssl_init private key file C:\theta\theta2.rsa.pem successfully loaded.
association_add TCP port 443 protocol data handle 0375D520

dissect_ssl enter frame #114 (first time) ssl_session_init: initializing ptr 05AE73E8 size 588 conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 245 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 240, ssl state 0x00 association_find: TCP port 44256 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 236 bytes, remaining 245 packet_from_server: is from server - FALSE ssl_find_private_key server 192.168.2.60:443 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #153 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 2045 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 2040, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 2045 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0016 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material dissect_ssl3_handshake iteration 0 type 11 offset 79 length 1530 bytes, remaining 2045 dissect_ssl3_handshake iteration 0 type 12 offset 1613 length 424 bytes, remaining 2045 dissect_ssl3_handshake iteration 0 type 14 offset 2041 length 0 bytes, remaining 2045

dissect_ssl enter frame #156 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 158 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 102, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, remaining 107 ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt dissect_ssl3_handshake can't decrypt pre master secret record: offset = 107, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 113, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 8 offset 118 length 11577009 bytes, remaining 158

dissect_ssl enter frame #187 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER

dissect_ssl enter frame #188 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 67 offset 5 length 5141154 bytes, remaining 45

dissect_ssl enter frame #190 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 170 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 24, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 44256 found 00000000 association_find: TCP port 443 found 07550E50 record: offset = 29, reported_length_remaining = 141 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 136, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 44256 found 00000000 association_find: TCP port 443 found 07550E50

dissect_ssl enter frame #191 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 461 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 456, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 07550E50

dissect_ssl enter frame #192 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 1357 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1352, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 07550E50

dissect_ssl enter frame #194 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 29 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 24, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #197 (first time) conversation = 05AE6F64, ssl_session = 05AE73E8 record: offset = 0, reported_length_remaining = 29 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 24, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

asked 11 Dec ‘12, 19:08

jeremycook123's gravatar image

jeremycook123
1111
accept rate: 0%


One Answer:

1

The SSL session is using the DH key exchange algorithm which can't be decrypted, the debug log shows this with the line:

ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt

If you can set the server or the client to use a different cipher suite that doesn't use DH then SSL decryption should work. You will have to search elsewhere to determine how to set the cipher suite for your server and client.

See the SSL Wiki page for more info.

answered 12 Dec '12, 02:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%