This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark fails to decipher application data out of SSL

0

I've looked around for similar logs, but found no actual solution. Dump was taken using

tcpdump -s 0 -i eth0 -v -w dump.pcap

Log: pastebin Dump: cloudshark

I'm out of ideas what may be wrong, some time earlier it worked as usual, but now it does not.

asked 31 Dec '12, 04:56

Alexey%20Pelykh's gravatar image

Alexey Pelykh
6112
accept rate: 0%

edited 31 Dec '12, 05:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

(31 Dec '12, 05:09) Alexey Pelykh

One Answer:

1

The only SSL/TLS connections in that capture file are to servers of whatsapp.net. Do you have access to their private key?

If no, then you cannot decrypt those SSL connections. See the SSL wiki:

http://wiki.wireshark.org/SSL

If yes (because you are the WhatsApp CEO or the web server admin), then you have entered the key in the wrong format, hence the following message in the debug file:

ssl_find_private_key can't find private key for this server!

What are you trying to do?

Regards
Kurt

answered 31 Dec '12, 05:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 Dec '12, 05:40

Yes, I don't have private key, but the odd thing is: dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 86, reported_length_remaining = 1374 need_desegmentation: offset = 86, reported_length_remaining = 1374

(31 Dec '12, 05:41) Alexey Pelykh

Yes, I don't have private key,

Then you cannot decrypt SSL, unless you have found a secret bug in the SSL encryption scheme ;-)

An alternative would be to use the '(Pre)-Master-Secret' output by the SSL client (see SSL wiki).

(31 Dec '12, 05:44) Kurt Knochner ♦

Kurt is right, @Alexey. SSL is purposely designed to be unencryptable by a man-in-the-middle, which is what Wireshark is. In absence of the remote site's private key, you would need to have state information generated on the fly within the local program setting up the SSL session. Read more about SSL and you will see why this is the case.

(02 Jan '13, 06:20) Warren Young

Totally agree :) Just over-debugged myself, shame on me :)

(02 Jan '13, 06:39) Alexey Pelykh