This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am not able to decrypt SSL sessions in Wireshark. Does anyone know what is wrong? Thanks for any assistance.

Here is the debug output:

ssl_init private key file B:\downloads\certs\server1-rsa.key successfully loaded.
association_add TCP port 443 protocol http handle 059E54D0

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 06571BC4 size 588
  conversation = 06571838, ssl_session = 06571BC4
  record: offset = 0, reported_length_remaining = 177
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 172, ssl state 0x00
association_find: TCP port 34237 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 168 bytes, remaining 177 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.168.136:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #5 (first time)
  conversation = 06571838, ssl_session = 06571BC4
  record: offset = 0, reported_length_remaining = 1024
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 57, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 53 bytes, remaining 62 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC014
  record: offset = 62, reported_length_remaining = 962
  need_desegmentation: offset = 62, reported_length_remaining = 962

dissect_ssl enter frame #7 (first time)
  conversation = 06571838, ssl_session = 06571BC4
  record: offset = 0, reported_length_remaining = 2422
  need_desegmentation: offset = 0, reported_length_remaining = 2422

dissect_ssl enter frame #9 (first time)
  conversation = 06571838, ssl_session = 06571BC4
  record: offset = 0, reported_length_remaining = 3559
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 3554, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3550 bytes, remaining 3559 

dissect_ssl enter frame #11 (first time)
  conversation = 06571838, ssl_session = 06571BC4
  record: offset = 0, reported_length_remaining = 679
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 655, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 651 bytes, remaining 660 
  record: offset = 660, reported_length_remaining = 19
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 14, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 665 length 6 bytes, remaining 679 
dissect_ssl3_handshake iteration 0 type 14 offset 675 length 0 bytes, remaining 679 

dissect_ssl enter frame #13 (first time)
  conversation = 06571838, ssl_session = 06571BC4
  record: offset = 0, reported_length_remaining = 214
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 7, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 202
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 138, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 134 bytes, remaining 155 
dissect_ssl3_handshake wrong encrypted length (34052 max 134)
  record: offset = 155, reported_length_remaining = 59
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 161, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_

asked 09 May '14, 10:56

lchen's gravatar image

lchen
11112
accept rate: 0%

edited 09 May '14, 11:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC014

Your version of Wireshark does not know how to decrypt TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (cipher suite 0xc014).

Only the latest development version (1.11.x) is able to handle that cipher. Please download that and try it again.

Regards
Kurt

permanent link

answered 09 May '14, 11:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620

question asked: 09 May '14, 10:56

question was seen: 2,862 times

last updated: 09 May '14, 11:29

p​o​w​e​r​e​d by O​S​Q​A