Recently I try to decrypt my dropbox connection which is in TLS format. I use the squid as a middle man in Ubuntu13.10, I configure the /etc/squid3.conf as follow, the squid proxy is running at port 3128 and I set the chrome to use the squid proxy running at 127.0.0.1:3128: # Squid normally listens to port 3128 always_direct allow all http_port 3128 ssl-bump cert=/home/lzq-ubuntu/Desktop/cert/sslcerts/127.0.0.1-cert.pem key=/home/lzq-ubuntu/Desktop/cert/sslcerts/private/127.0.0.1-key.pem #ssl_bump client-first ssl_bump server-first I generate the key using a .sh file:
I use the command: sh cert.sh 127.0.0.1 to generate the key. But after loading the key in wireshark, I can not decrypt the flow, I got this log file: ssl_association_remove removing TCP 3128 - http handle 0x7f6238467400 Private key imported: KeyID 22:0e:f2:57:3b:ef:cc:1a:ca:35:ea:c3:4b:62:49:60:... ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '3128' filename '/home/lzq-ubuntu/Desktop/cert/sslcerts/private/127.0.0.1-key.pem' password(only for p12 file) '' ssl_init private key file /home/lzq-ubuntu/Desktop/cert/sslcerts/private/127.0.0.1-key.pem successfully loaded. association_add TCP port 3128 protocol http handle 0x7f6238467400 dissect_ssl enter frame #6 (first time) ssl_session_init: initializing ptr 0x7f621ff49038 size 680 conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 211 dissect_ssl enter frame #8 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 39 dissect_ssl enter frame #12 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 246 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 241, ssl state 0x00 association_find: TCP port 53519 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 237 bytes, remaining 246 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:3128 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #6 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 211 dissect_ssl enter frame #8 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 39 dissect_ssl enter frame #12 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 246 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 237 bytes, remaining 246 dissect_ssl enter frame #19 (first time) ssl_session_init: initializing ptr 0x7f621ff4a568 size 680 conversation = 0x7f621ff49eb0, ssl_session = 0x7f621ff4a568 record: offset = 0, reported_length_remaining = 89 dissect_ssl enter frame #21 (first time) conversation = 0x7f621ff49eb0, ssl_session = 0x7f621ff4a568 record: offset = 0, reported_length_remaining = 39 dissect_ssl enter frame #25 (first time) conversation = 0x7f621ff49eb0, ssl_session = 0x7f621ff4a568 record: offset = 0, reported_length_remaining = 74 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 69, ssl state 0x00 association_find: TCP port 53521 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 65 bytes, remaining 74 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:3128 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #19 (already visited) conversation = 0x7f621ff49eb0, ssl_session = (nil) record: offset = 0, reported_length_remaining = 89 dissect_ssl enter frame #21 (already visited) conversation = 0x7f621ff49eb0, ssl_session = (nil) record: offset = 0, reported_length_remaining = 39 dissect_ssl enter frame #25 (already visited) conversation = 0x7f621ff49eb0, ssl_session = (nil) record: offset = 0, reported_length_remaining = 74 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 65 bytes, remaining 74 dissect_ssl enter frame #30 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 1163 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 53, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello can't find cipher suite 0x9C record: offset = 58, reported_length_remaining = 1105 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 1091, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 63 length 1087 bytes, remaining 1154 record: offset = 1154, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1159 length 0 bytes, remaining 1163 dissect_ssl enter frame #32 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 190 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 134, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16) dissect_ssl3_handshake can't decrypt pre master secret record: offset = 139, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 145, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 150 length 0 bytes, remaining 190 dissect_ssl3_handshake iteration 0 type 0 offset 154 length 0 bytes, remaining 190 dissect_ssl3_handshake iteration 0 type 148 offset 158 length 9736230 bytes, remaining 190 dissect_ssl enter frame #34 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 242 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 186, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 record: offset = 191, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 197, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 214 offset 202 length 6700648 bytes, remaining 242 dissect_ssl enter frame #35 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 1147 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1142, ssl state 0x13 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 53519 found (nil) association_find: TCP port 3128 found 0x7f62392b2a30 dissect_ssl enter frame #30 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 1163 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 record: offset = 58, reported_length_remaining = 1105 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 11 offset 63 length 1087 bytes, remaining 1154 record: offset = 1154, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 14 offset 1159 length 0 bytes, remaining 1163 dissect_ssl enter frame #32 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 190 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 record: offset = 139, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 145, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 0 offset 150 length 0 bytes, remaining 190 dissect_ssl3_handshake iteration 0 type 0 offset 154 length 0 bytes, remaining 190 dissect_ssl3_handshake iteration 0 type 148 offset 158 length 9736230 bytes, remaining 190 dissect_ssl enter frame #34 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 242 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 record: offset = 191, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 197, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 214 offset 202 length 6700648 bytes, remaining 242 dissect_ssl enter frame #35 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 1147 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 53519 found (nil) association_find: TCP port 3128 found 0x7f62392b2a30 dissect_ssl enter frame #39 (first time) conversation = 0x7f621ff49eb0, ssl_session = 0x7f621ff4a568 record: offset = 0, reported_length_remaining = 1163 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 53, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello found CIPHER 0x0035 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 58, reported_length_remaining = 1105 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 1091, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 63 length 1087 bytes, remaining 1154 record: offset = 1154, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1159 length 0 bytes, remaining 1163 dissect_ssl enter frame #41 (first time) conversation = 0x7f621ff49eb0, ssl_session = 0x7f621ff4a568 record: offset = 0, reported_length_remaining = 7 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 2, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #45 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 564 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 559, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 3128 found 0x7f62392b2a30 dissect_ssl enter frame #46 (first time) conversation = 0x7f621ff48980, ssl_session = 0x7f621ff49038 record: offset = 0, reported_length_remaining = 176 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 171, ssl state 0x13 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 3128 found 0x7f62392b2a30 dissect_ssl enter frame #39 (already visited) conversation = 0x7f621ff49eb0, ssl_session = (nil) record: offset = 0, reported_length_remaining = 1163 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 record: offset = 58, reported_length_remaining = 1105 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 11 offset 63 length 1087 bytes, remaining 1154 record: offset = 1154, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 14 offset 1159 length 0 bytes, remaining 1163 dissect_ssl enter frame #41 (already visited) conversation = 0x7f621ff49eb0, ssl_session = (nil) record: offset = 0, reported_length_remaining = 7 dissect_ssl3_record: content_type 21 Alert dissect_ssl enter frame #45 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 564 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 3128 found 0x7f62392b2a30 dissect_ssl enter frame #46 (already visited) conversation = 0x7f621ff48980, ssl_session = (nil) record: offset = 0, reported_length_remaining = 176 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 3128 found 0x7f62392b2a30 It seems that the key is loaded successfully, but the app data in each packet are still encryped. Help!!!!
This question is marked "community wiki".
|
Looks like your Wireshark version (which one is it) does not support cipher 0x9C (TLS_RSA_WITH_AES_128_GCM_SHA256). You could try to force either your browser or squid to another cipher and then check again. Regards Thank you very much!! My wireshark version is 1.8.3 and after I change my cipher suit in squid.conf I can decrypt the SSL data. Thank you very much!!! BTW, sometimes I can not visit some website through HTTPS because I used the self-generated certificate and key, and the browser say that: "Invalid Server Certificate" So is there any idea how can I generate the certificate and key authorized by Dropbox? Thanks very much for your help again!!!
(04 Dec '13, 03:57)
lzq8272587
good. I believe the latest development build of Wireshark (1.11.x) does support (0x9c - I think I have seen that somewhere). Maybe you want to try it later as well.
"authorized by Dropbox"? There is no way to do that, unless you are the owner of Dropbox or a very, very skilled hacker ;-) I believe this could be a problem with the Squid configuration. I've never used squid for SSL interception, so I don't know what to look for. Maybe it's better to ask that specific question in a Squid forum !?! Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).
(04 Dec '13, 04:50)
Kurt Knochner ♦
|