This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

OK, I've read all of the posts I can find for the past two weeks, tried this and that, and I'm finally down to it.

I downloaded the latest versions of Wireshark for Mac and PC (I run both). I ran the sample capture to be sure my Mac and PC implementations are working: (http://wiki.wireshark.org/SampleCaptures#SSL_with_decryption_keys). I received a PFX copy of the private key from my security guys (no, I didn't include it here). I ran thru the steps to derive an RSA PEM file: (http://blogs.technet.com/b/nettracer/archive/2010/10/01/how-to-decrypt-an-ssl-or-tls-session-by-using-wireshark.aspx) I loaded the file in Preferences > SSL I shut off everything I could think of. I started the trace first. I opened Firefox. I went to iwdmobile.iowa.gov And I got---TLSv1.2---unadulterated, ENCRYPTED TLSv1.2 payloads. Needless to say, not what I'm looking for. I'd like to include a copy of the ssl debug and a jpg of the packet list so you can see the actual order of the packets as I'm seeing them if someone can tell me a place I can load them for viewing. Please, anybody, I'd like to buy a vowel and figure out what stupid thing I'm doing to myself. BTW, if anyone has a definitions page on what the lines in ssl debug are trying to tell me I'd appreciate the reference material. -d

asked 07 Nov '14, 07:48

dribniff's gravatar image

dribniff
6445
accept rate: 0%

Post the SSL debug out put as text straight in your question. Use the "code" button to format it for easier viewing.

It's possible that the TLS session is using a DH key exchange which makes it more difficult to decrypt, see this question from StackExchange. In Firefox, click on the padlock | More Information ... and then in the "Technical Details" section what is the reported connection info.

Have you also read through the Wireshark Wiki page on SSL, it's here?

(07 Nov '14, 09:14) grahamb ♦

alt text

As requested:

   ssl_association_remove removing TCP 443 - http handle 0x10c187820
    Private key imported: KeyID dd:29:74:15:7b:e6:76:47:f5:f0:68:3e:8a:55:61:62:...
    ssl_load_key: swapping p and q parameters and recomputing u
    ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '443' filename '/Users/haguerc/Downloads/snakeoil2_070531/rsasnakeoil2.key' password(only for p12 file) ''
    ssl_init private key file /Users/haguerc/Downloads/snakeoil2_070531/rsasnakeoil2.key successfully loaded.
    association_add TCP port 443 protocol http handle 0x10c187820
    Private key imported: KeyID 8f:7d:52:a1:b2:f3:d0:83:0b:bf:d8:7f:f0:36:54:2f:...
    ssl_load_key: swapping p and q parameters and recomputing u
    ssl_init IPv4 addr '165.206.254.134' (165.206.254.134) port '443' filename '/Volumes/SOLERA/wildcard.rsa.pem' password(only for p12 file) ''
    ssl_init private key file /Volumes/SOLERA/wildcard.rsa.pem successfully loaded.
    association_add TCP port 443 protocol http handle 0x10c187820

    dissect_ssl enter frame #174 (first time)
    ssl_session_init: initializing ptr 0x113210790 size 712
    association_find: TCP port 59674 found 0x0
    packet_from_server: is from server - FALSE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 171
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 166, ssl state 0x00
    association_find: TCP port 59674 found 0x0
    packet_from_server: is from server - FALSE
    decrypt_ssl3_record: using client decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 1 offset 5 length 162 bytes, remaining 171 
    packet_from_server: is from server - FALSE
    ssl_find_private_key server 165.206.254.134:443
    ssl_find_private_key: testing 2 keys
    dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

    dissect_ssl enter frame #176 (first time)
    packet_from_server: is from server - TRUE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 1368
    dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 65, ssl state 0x11
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 2 offset 5 length 61 bytes, remaining 70 
    dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
    ssl_restore_session Cannot restore using an empty SessionID
    trying to use SSL keylog in 
    failed to open SSL keylog
      cannot find master secret in keylog file either
    dissect_ssl3_hnd_srv_hello found CIPHER 0xC014 -> state 0x17
    dissect_ssl3_hnd_srv_hello trying to generate keys
    ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
    dissect_ssl3_hnd_srv_hello can't generate keyring material
      record: offset = 70, reported_length_remaining = 1298
      need_desegmentation: offset = 70, reported_length_remaining = 1298

    dissect_ssl enter frame #179 (first time)
    packet_from_server: is from server - TRUE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 4675
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 4670, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 11 offset 5 length 4666 bytes, remaining 4675

    dissect_ssl enter frame #179 (first time)
    packet_from_server: is from server - TRUE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 347
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 333, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 12 offset 5 length 329 bytes, remaining 338 
      record: offset = 338, reported_length_remaining = 9
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 4, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 14 offset 343 length 0 bytes, remaining 347

    dissect_ssl enter frame #184 (first time)
    packet_from_server: is from server - FALSE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 150
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 70, ssl state 0x17
    packet_from_server: is from server - FALSE
    decrypt_ssl3_record: using client decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 
    ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
    ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt
    ssl_generate_pre_master_secret: can't decrypt pre master secret
    trying to use SSL keylog in 
    failed to open SSL keylog
    dissect_ssl3_handshake can't generate pre master secret
      record: offset = 75, reported_length_remaining = 75
    dissect_ssl3_record: content_type 20 Change Cipher Spec
    dissect_ssl3_change_cipher_spec
    packet_from_server: is from server - FALSE
    ssl_change_cipher CLIENT
      record: offset = 81, reported_length_remaining = 69
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 64, ssl state 0x17
    packet_from_server: is from server - FALSE
    decrypt_ssl3_record: using client decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 6 offset 86 length 4641658 bytes, remaining 150

    dissect_ssl enter frame #187 (first time)
    packet_from_server: is from server - TRUE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 298
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 218, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 4 offset 5 length 214 bytes, remaining 223 
    ssl_save_session_ticket stored session_ticket[208]:
    | 5e a8 e9 32 60 3d 43 7d f9 73 d7 d7 7d 4d 0f c2 |^..2`=C}.s..}M..|
    | 32 f4 2c 27 b6 04 fa 5c e1 ae f8 61 e1 d0 2f 0a |2.,'...\...a../.|
    | 73 cf ac 37 30 16 e2 db 73 c5 22 9f 4c b2 fd cb |s..70...s.".L...|
    | 61 04 4e ac 61 4a 1b 1f 4d 68 ac cf e3 60 0d 03 |a.N.aJ..Mh...`..|
    | f2 17 f0 c8 49 60 39 3d df c4 b7 e0 a3 c3 fb a8 |....I`9=........|
    | cc e0 f3 54 50 4d e1 c4 5a 72 f8 d6 03 80 d2 03 |...TPM..Zr......|
    | d1 c0 d3 82 97 46 69 0d 7c db 5f 5e 9d 55 00 7e |.....Fi.|._^.U.~|
    | c7 a0 ab d0 b4 c3 64 a2 86 8e e2 19 81 aa 26 af |......d.......&.|
    | 0e b4 2b 69 39 59 bf 52 0e f0 69 25 7f c6 f8 64 |..+i9Y.R..i%...d|
    | 1b 58 6d 23 2c 63 d2 8b 4f 6b a2 33 50 dc 6b cb |.Xm#,c..Ok.3P.k.|
    | 2f 6c 62 46 4a 43 5a ad 6d 88 e0 fe 85 71 32 5d |/lbFJCZ.m....q2]|
    | 60 a8 61 d9 2e b8 a3 a7 9b 72 66 b4 80 85 ec c4 |`.a......rf.....|
    | 8f 2f 91 43 8c 16 2c 15 86 df 10 d2 0c 5f 61 cb |./.C..,......_a.|
    ssl_save_session_ticket stored master secret[48]:
    | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
      record: offset = 223, reported_length_remaining = 75
    dissect_ssl3_record: content_type 20 Change Cipher Spec
    dissect_ssl3_change_cipher_spec
    packet_from_server: is from server - TRUE
    ssl_change_cipher SERVER
      record: offset = 229, reported_length_remaining = 69
    dissect_ssl3_record: content_type 22 Handshake
    decrypt_ssl3_record: app_data len 64, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    dissect_ssl3_handshake iteration 1 type 227 offset 234 length 973435 bytes, remaining 298

    dissect_ssl enter frame #200 (first time)
    packet_from_server: is from server - FALSE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 357
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 352, ssl state 0x17
    packet_from_server: is from server - FALSE
    decrypt_ssl3_record: using client decoder
    decrypt_ssl3_record: no decoder available
    association_find: TCP port 59674 found 0x0
    association_find: TCP port 443 found 0x110d43980

    dissect_ssl enter frame #201 (first time)
    packet_from_server: is from server - TRUE
      conversation = 0x10ce04ab0, ssl_session = 0x113210790
      record: offset = 0, reported_length_remaining = 596
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 368, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    association_find: TCP port 443 found 0x110d43980
      record: offset = 373, reported_length_remaining = 223
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 48, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    association_find: TCP port 443 found 0x110d43980
      record: offset = 426, reported_length_remaining = 170
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 112, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    association_find: TCP port 443 found 0x110d43980
      record: offset = 543, reported_length_remaining = 53
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 48, ssl state 0x17
    packet_from_server: is from server - TRUE
    decrypt_ssl3_record: using server decoder
    decrypt_ssl3_record: no decoder available
    association_find: TCP port 443 found 0x110d43980
permanent link

answered 07 Nov '14, 10:38

dribniff's gravatar image

dribniff
6445
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×56

question asked: 07 Nov '14, 07:48

question was seen: 3,387 times

last updated: 07 Nov '14, 10:38

p​o​w​e​r​e​d by O​S​Q​A