having trouble decrypting ssl; I am trying to analyze a capture file created by windump. Someone else had a similar question, and the response was to check three things: a) private key b) ssl handshake c) encryption type I have exported the server cert, converted to pem and separated out the private key. In the file, it says 'rsa', and there is no reference to 'ephemeral' I think i'm getting the full session... the ssl handshake looks like: ..."ClientHello" ..."Server Hello, Certificat, Server Hello Done ..."Client Key Exchange ..."Change Cipher Spec ..."Encrypted Handshake message ..."Change Cipher Spec, Encrypted Handshake message ..."Client Key Exchange ..."Change Cipher Spec ..."Encrypted Handshake Message ..."Change Cipher Spec, Encrypted Handshake Message ..."Application Data the application data packet at the end is still encrypted The only thing left is to try to figure out if wireshark likes the key i provided it... some questions: - i see some references to an 'ssl debug file'. How do you configure this? In preferences/protocols/ssl you can browse for a file, but i notice that you can only specify files that already exist. I created a file, and specified it, but the file is always zero length.
any insight would be appreciated... |
The file selection dialog behaves kind of strange sometimes. It's probably better to just paste the full path of the file to the field
The only thing you need to do is to specify the debug log. Then close Wireshark, empty or delete the file and restart Wireshark. The file will then be filled with debug messages, if the user that runs Wireshark has enough rights to create the file and to write to it, as Wireshark will run in the user context. If that does not happen on your system, please add the following information
No. That's most certainly due to checksum offloading, as you were capturing on the server itself.
Of course the IP in the trace file. That's the only one Wireshark can see.
Yes. see above.
The key file should look like this: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQC8/gQ2y24WaJuuoF4cAibeqLOU7JnkeX21ozjVe7tpeT1ZqSMc gRLUGAGquCmIT7XipvWLfll7itGGiCMTXdAqNPgiWvxdNVhMh8W/vlv7xTdnbquY ... some lines .... BMb1winyNNcTHu1vLScCQQCrYa+AfS879mK+L3kFXrliXnJ5+4uBsY55dUQc8j97 CKuarIR9Pb4OAE1mAg6SIWoXOaIp0XmFtXtohBmav3ex -----END RSA PRIVATE KEY----- If you see the following (or similar) lines in the key file -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,530703DFD90796F4 kEa20CNx8Pn5zw2sq/UtI5BFk0IlXImzDzdh9Mlv8LdIHwz67rtwQTDstJf9Wucj then your exported key is encrypted and you must give Wireshark the passphrase for the key.
If the key is not encrypted and it still does not work, the following 'problem' occurs sometimes: Your SSL/TLS connection is using a cipher that cannot be decrypted with only the RSA key of the server. That's all ciphers with DH in the name (Diffie Hellman). The ssl debug log will show the cipher used, as well as Wireshark itself, by looking at the SSL handshake. Add a custom column in the GUI with the following field, to view the negotiated cipher suite.
If the connection is using a DH cipher, you need to SSL session keys, exported by your client. See here:
Read the questions and answers about using the RSA key log file generated by a browser (by using the environment variable SSLKEYLOGFILE). Finally, try to decrypt a SSL session that is known to work.
Regards thanks so much for the help!!! The ssl debug log revealed that i wasn't using the right key. Now i've another problem, but that's the subject of another post.
(18 Dec '13, 23:27)
dmc_lat47
Good. Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.
(18 Dec '13, 23:47)
Kurt Knochner ♦
|
"I have exported the server cert, converted to pem and separated out the private key." Hm, if that was possible all it would take to decrypt a SSL/TLS session would be to trace the negotiation . thanks for your response. hmm... well, though not it's not something i do well, i am what passes for the server admin on this machine. I used mmc to export the certificate, and made sure to include the private key. Then i converted the pem, and placed the rsa private key portion into a separate file. How is the ssl debug log configured? Will the log be written to when wire shark is analyzing a trace file, or does wire shark need to be run live on the server? (in order to minimize the amount of software installed there, i installed only windump, and copy over the capture files to analyze on a separate machine running wireshark).
(18 Dec '13, 00:10)
dmc_lat47
|
so.. if anyone could tell me how to get the ssl debug log going, that would at least give me one more thing to look at...
thanks in advance...