This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL decryption log file

0

I'm totally new to Wireshark, and I don't know much about network protocols in general. Here's my situation: I'm trying to decrypt an SSL packet capture session. The traffic I'm trying to decrypt comes from the internet, and goes to an application running on my PC. I've found a number of different private keys and certificate files in the application directory, and I'm not really sure which one would be the right one to use, but that's kind of beside the point right now.

I've searched a lot here, and I've found a bunch of questions that begin with the asker posting their SSL debug log file. I've noticed that all of these logs begin with something like the following:

ssl_association_remove removing TCP 443 - data handle xx
Private key imported: KeyID xxxx...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.xxx.xxx.xxx' (xxx.xxx.xxx.xxx) port '443' filename 'C:\x.pem' password(only for p12 file) ''
ssl_init private key file C:\x.pem successfully loaded.
association_add TCP port 443 protocol data handle xx

My log file, however, doesn't have that. It just begins with 1 blank line, and then:

dissect_ssl enter frame #8 (first time)

So my question is, what is the significance of the absence of the information in the larger of the 2 log snippets above? I'm guessing this may have something to do with why I can't get the SSL decryption to work, so I figured I'd ask about it, and that it might be a good first step in figuring all this out. Thanks a lot.

Edit: just to give you bit more of an idea of my level of knowledge, I've been reading the SSL entry on Wikipedia, and I read Sake Blok's presentation on SSL decryption (http://sharkfest.wireshark.org/sharkfest.12/presentations/MB-1_SSL_Troubleshooting_with%20_Wireshark_Software.pdf). I thought his presentation was informative, but there was a lot of stuff that went over my head, because I know so little about all this.

asked 16 Mar '13, 13:34

sandwiches9's gravatar image

sandwiches9
21226
accept rate: 0%

edited 16 Mar '13, 14:34

One Answer:

1

I thought his presentation was informative, ...

Thank you :-)

... but there was a lot of stuff that went over my head, because I know so little about all this.

Then lets start at the beginning. It looks like you did not configure wireshark to use the private key.

If you go to "Edit -> Preferences" then click on the triangle in front of Protocols and then scroll down to SSL and click on it. You will now see the SSL protocol preferences. In the preferences you will see a button "Edit" next to "RSA keys list". When you click on it, you can then add a new key by clicking on "new".

In the pop-up window, please enter:

  • IP address ==> IP address of your server which has SSL enabled
  • Port ==> Most likely 443 or else the port on which you have your server running
  • Protocol ==> http (unless you have some other protocol encrypted with SSL, you can always use "data" to tell wireshark to not dissect the data that is decrypted)
  • Key File: The location of the private key that corresponds to the certificate on the server (you need to get this key from the server)
  • Password: (leave empty, unless you point to a password protected pkcs12 certificate/key file in "Key File")

If you have those properly filled and pressed OK (twice), then you should see the SSL debug lines that you quoted too...

answered 16 Mar '13, 15:08

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the info! I had done all that already, BUT it turned out the problem was that in the pop-up window, for the IP address, I had put '192.168.10.0/24' (hoping that it would apply to the entire '192.168.10.x' range). I just tried to put in the actual IP (instead of the '0/24' at the end), and I now get the debug lines that were missing before. Of course, it figures that decryption still doesn't work, but I'll work on it some more, and maybe I'll ask another question about it tomorrow. Thanks again!

(16 Mar '13, 15:25) sandwiches9