This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm trying to decrypt an https stream between Safari (where I'm also running wireshark) and an openlitespeed server on a linux box. I have the private key for the server and it is in the proper format. I have disabled Diffie Hellman and have SSLv3 and TLSv1.2 enabled. I've used different combinations of SSLv3 and TLS versions and all have the same result. Wireshark is picking up the private key correctly, but I'm getting an error that no decoders are available. Here's the top of the debug log with SSLv3 and TLSv1.2, no DH, no SPDY. Wireshark build info below.

Wireshark SSL debug log

ssl_association_remove removing TCP 8095 - http handle 0x10a22a660
Private key imported: KeyID 85:8c:ff:ee:74:26:7b:8f:00:f2:39:d0:3e:35:f7:40:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '10.0.0.25' (10.0.0.25) port '8095' filename '/Users/tommcd/lsws/server.key' password(only for p12 file) ''
ssl_init private key file /Users/tommcd/lsws/server.key successfully loaded.
association_add TCP port 8095 protocol http handle 0x10a22a660

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 0x10cba16e0 size 712
association_find: TCP port 49623 found 0x0
packet_from_server: is from server - FALSE
  conversation = 0x10ad01058, ssl_session = 0x10cba16e0
  record: offset = 0, reported_length_remaining = 177
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 172, ssl state 0x00
association_find: TCP port 49623 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 168 bytes, remaining 177 
packet_from_server: is from server - FALSE
ssl_find_private_key server 10.0.0.25:8095
ssl_find_private_key: testing 1 keys
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x10ad01058, ssl_session = 0x10cba16e0
  record: offset = 0, reported_length_remaining = 877
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 93, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 89 bytes, remaining 98 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0xC027 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
  record: offset = 98, reported_length_remaining = 779
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 555, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

Wireshark build info

2014-09-11 16:52:00.660 defaults[75025:507] 
The domain/default pair of (kCFPreferencesAnyApplication, AppleHighlightColor) does not exist
wireshark 1.12.1rc0-74-g3131847 (v1.12.0rc0-74-g3131847 from master-1.12)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.36.0, with libpcap, with libz 1.2.3, without POSIX capabilities, with SMI
0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS
2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Jul 16 2013 19:05:52), with AirPcap.

Running on Mac OS X 10.9.4, build 13E28 (Darwin 13.3.0), with locale .UTF-8,
with libpcap version 1.3.0 - Apple version 41, with libz 1.2.5, GnuTLS 2.12.19,
Gcrypt 1.5.0, without AirPcap.
       Intel(R) Core(TM) i5-2500S CPU @ 2.70GHz

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

asked 11 Sep '14, 13:51

DiabolicalTMcD's gravatar image

DiabolicalTMcD
11113
accept rate: 0%

edited 11 Sep '14, 13:52

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×62

question asked: 11 Sep '14, 13:51

question was seen: 2,085 times

last updated: 11 Sep '14, 13:52

p​o​w​e​r​e​d by O​S​Q​A