This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decrypt difficulty

0

I'm trying to decrypt an https stream between Safari (where I'm also running wireshark) and an openlitespeed server on a linux box. I have the private key for the server and it is in the proper format. I have disabled Diffie Hellman and have SSLv3 and TLSv1.2 enabled. I've used different combinations of SSLv3 and TLS versions and all have the same result. Wireshark is picking up the private key correctly, but I'm getting an error that no decoders are available. Here's the top of the debug log with SSLv3 and TLSv1.2, no DH, no SPDY. Wireshark build info below.

Wireshark SSL debug log

ssl_association_remove removing TCP 8095 - http handle 0x10a22a660 Private key imported: KeyID 85:8c:ff:ee:74:26:7b:8f:00:f2:39:d0:3e:35:f7:40:… ssl_load_key: swapping p and q parameters and recomputing u ssl_init IPv4 addr '10.0.0.25' (10.0.0.25) port '8095' filename '/Users/tommcd/lsws/server.key' password(only for p12 file) '' ssl_init private key file /Users/tommcd/lsws/server.key successfully loaded. association_add TCP port 8095 protocol http handle 0x10a22a660

dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 0x10cba16e0 size 712 association_find: TCP port 49623 found 0x0 packet_from_server: is from server - FALSE conversation = 0x10ad01058, ssl_session = 0x10cba16e0 record: offset = 0, reported_length_remaining = 177 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 172, ssl state 0x00 association_find: TCP port 49623 found 0x0 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 168 bytes, remaining 177 packet_from_server: is from server - FALSE ssl_find_private_key server 10.0.0.25:8095 ssl_find_private_key: testing 1 keys dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time) packet_from_server: is from server - TRUE conversation = 0x10ad01058, ssl_session = 0x10cba16e0 record: offset = 0, reported_length_remaining = 877 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 93, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 89 bytes, remaining 98 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0xC027 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 98, reported_length_remaining = 779 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 555, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

Wireshark build info

2014-09-11 16:52:00.660 defaults[75025:507]
The domain/default pair of (kCFPreferencesAnyApplication, AppleHighlightColor) does not exist
wireshark 1.12.1rc0-74-g3131847 (v1.12.0rc0-74-g3131847 from master-1.12)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.10.2, with Pango 1.30.1, with GLib 2.36.0, with libpcap, with libz 1.2.3, without POSIX capabilities, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 16 2013 19:05:52), with AirPcap.

Running on Mac OS X 10.9.4, build 13E28 (Darwin 13.3.0), with locale .UTF-8, with libpcap version 1.3.0 - Apple version 41, with libz 1.2.5, GnuTLS 2.12.19, Gcrypt 1.5.0, without AirPcap. Intel(R) Core(TM) i5-2500S CPU @ 2.70GHz

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.9.00).

asked 11 Sep ‘14, 13:51

DiabolicalTMcD's gravatar image

DiabolicalTMcD
11113
accept rate: 0%

edited 11 Sep ‘14, 13:52