This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to decrypt SSL sessions in wireshark

0

I am not able to decrypt SSL sessions in Wireshark. Does anyone know what is wrong? Thanks for any assistance.

Here is the debug output:

ssl_init private key file B:\downloads\certs\server1-rsa.key successfully loaded.
association_add TCP port 443 protocol http handle 059E54D0

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 06571BC4 size 588
conversation = 06571838, ssl_session = 06571BC4
record: offset = 0, reported_length_remaining = 177
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 172, ssl state 0x00
association_find: TCP port 34237 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 168 bytes, remaining 177
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.168.136:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #5 (first time)
conversation = 06571838, ssl_session = 06571BC4
record: offset = 0, reported_length_remaining = 1024
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 57, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 53 bytes, remaining 62
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC014
record: offset = 62, reported_length_remaining = 962
need_desegmentation: offset = 62, reported_length_remaining = 962


dissect_ssl enter frame #7 (first time)
conversation = 06571838, ssl_session = 06571BC4
record: offset = 0, reported_length_remaining = 2422
need_desegmentation: offset = 0, reported_length_remaining = 2422


dissect_ssl enter frame #9 (first time)
conversation = 06571838, ssl_session = 06571BC4
record: offset = 0, reported_length_remaining = 3559
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 3554, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3550 bytes, remaining 3559


dissect_ssl enter frame #11 (first time)
conversation = 06571838, ssl_session = 06571BC4
record: offset = 0, reported_length_remaining = 679
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 655, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 651 bytes, remaining 660
record: offset = 660, reported_length_remaining = 19
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 14, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 665 length 6 bytes, remaining 679
dissect_ssl3_handshake iteration 0 type 14 offset 675 length 0 bytes, remaining 679


dissect_ssl enter frame #13 (first time)
conversation = 06571838, ssl_session = 06571BC4
record: offset = 0, reported_length_remaining = 214
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 7, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12
record: offset = 12, reported_length_remaining = 202
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 138, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 134 bytes, remaining 155
dissect_ssl3_handshake wrong encrypted length (34052 max 134)
record: offset = 155, reported_length_remaining = 59
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 161, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_

asked 09 May ‘14, 10:56

lchen's gravatar image

lchen
11112
accept rate: 0%

edited 09 May ‘14, 11:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

0

dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC014

Your version of Wireshark does not know how to decrypt TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (cipher suite 0xc014).

Only the latest development version (1.11.x) is able to handle that cipher. Please download that and try it again.

Regards
Kurt

answered 09 May '14, 11:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%