This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL session not decrypted

0

I am running Wireshark on CentOS. I need to decode SSL traffic. I have the server's key. I set the ip address, port, protocol, key in edit>preferences>protocols>SSL>key info. For the key, I use the pem key exported from the application. Then I start my web browser & application. I go through a transaction, stop wireshark capture and look at the frames.

I see the frames captured. When I click on "Follow SSL Stream", nothing is displayed in dialog window. When I click on "Follow TCP Stream" (on the same frame), I see the at the beginning of the conversation my certificate, from which I extracted the key (with openssl), being exchanged.

Getting no display on "Follow SSL Stream" indicates to me some key issue. When I look at the "Wireshark SSL Debug Log", I see the below, which I do not completely understand. The first "paragraph" indicates successful PEM key load, but then it encounters problems with key.

Is there any hint of what is going wrong in log that I am missing? I am as sure as humanly possible that I have the right key... What is meant with "try it again with universal address 0.0.0.0"? What could the reason be for "sslfindprivatekey cannot find private key for this server"?

Thanks.

**

Wireshark SSL debug log

**

ssl_association_remove removing TCP 9031 - http handle 0x2dc1770
Private key imported: KeyID 06:74:d4:cb:70:e5:f9:3a:78:b4:2b:6d:87:f7:71:7f:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '9031' filename '/home/cemil/keytests/14966CD11F8.pem' password(only for p12 file) ''
ssl_init private key file /home/cemil/keytests/14966CD11F8.pem successfully loaded.
association_add TCP port 9031 protocol http handle 0x2dc1770

dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0x7fc8c36468a8 size 688 conversation = 0x7fc8c3645718, ssl_session = 0x7fc8c36468a8 record: offset = 0, reported_length_remaining = 233 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 228, ssl state 0x00 association_find: TCP port 42803 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 224 bytes, remaining 233 packet_from_server: is from server - FALSE ssl_find_private_key server ::1:9031 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #12 (first time) ssl_session_init: initializing ptr 0x7fc8c3646e18 size 688 conversation = 0x7fc8c3645cd8, ssl_session = 0x7fc8c3646e18 record: offset = 0, reported_length_remaining = 233 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 228, ssl state 0x00 association_find: TCP port 42804 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 224 bytes, remaining 233 packet_from_server: is from server - FALSE ssl_find_private_key server ::1:9031 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #14 (first time) ssl_session_init: initializing ptr 0x7fc8c3647388 size 688 conversation = 0x7fc8c3646298, ssl_session = 0x7fc8c3647388 record: offset = 0, reported_length_remaining = 233 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 228, ssl state 0x00 association_find: TCP port 42805 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 224 bytes, remaining 233 packet_from_server: is from server - FALSE ssl_find_private_key server ::1:9031 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

asked 31 Oct ‘14, 12:26

CemilB's gravatar image

CemilB
11223
accept rate: 0%

edited 02 Nov ‘14, 09:49

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


One Answer:

0

What could the reason be for "sslfindprivatekey cannot find private key for this server"?

I don't know, maybe there is something wrong with your

  • capture file
  • private key
  • ssl preferences (key settings)

Please try the whole SSL decryption process with the following sample file:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=snakeoil2_070531.tgz

The key is included in the file (use 7-ZIP to open it).

If that does not work (it work should - I just tested it), there is something wrong with one of the things mentioned above.

Which one? Impossible to tell, without access to the capture file and the key, or at least a full ssl debug file (only the first 20 frames).

Regards
Kurt

answered 02 Nov '14, 10:01

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks, Kurt. I just untarred and tried the files you sent, and I could decode fine. At least this tells me that my install is OK. Does this lead you to any other conclusion that would help? Do you have any further suggestion? Best, Cemil

(03 Nov '14, 09:54) CemilB

As I said. Without additional information I can only offer wild guesses, which I'm not going to do ;-)

(03 Nov '14, 12:04) Kurt Knochner ♦