This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem with decrypting the SSL using the private key

0

Hello everyone,

We are trying to decypt an SSL traffic. I created a test environment with openssl

So I created my private key, I created my certificate. The paramteter in the Wireshark seems well configured : 192.168.11.200,443,http,C:\OpenSSL-Win32\bin\testkey.pem

But I still do not decrypt this SSL while I have all the information... To simulate the server I am using : openssl s_server -key testkey.pem -cert testcert.pem -WWW -cipher RC4-SHA -accept 443

In the debug file I have decrypt_ssl3_record: no decoder available

I add that I am capturing the SSL handshake since the start of the cession..

Here you can find the key : Thekey seems not protected with a passphrase.

-----BEGIN RSA PRIVATE KEY-----

MIICXwIBAAKBgQDubfA0PyHS2vmvW1A+I3vM1+cFRuXbaG/OsDbZeytOoB7OXjIb OeS87ErT7l6fFrIEyCcQozmPQGZdiMuXKvUtiscvRm5oYZzXnUwP3UL19gtmBHjN u1odENV+S2V6jRa3d0XeDiFUMPeYvDsC8s+A/H2OzGA0v7zD1ssDCFd3uwIDAQAB AoGBANdMaOoU1Asd9vc04omp6wG3OAJY2fi9HrEqB+1svld6WTcKcf6J0ZYTXSJw jfrkOI3+2t+4NKK5iXYOr6DqhocB5NMDXPtdHpVyUkOQF6ugE9/fA6DfAVLTdtIE s5aQqt+8PcxZzwdw0fg07vVHNx7dEXr0q34cTDeIDrXUB6cRAkEA/73swjLosyOJ gjK61YgHhFKl5r/q3B4Et/cDru7mx4e+gA9vJODujvVkrwJZKly4KWGKSrudXyUr W3jHIhWOWQJBAO6ril5EyZ1GQwg1jNuyPw7FEzZGDFLwCeDI5Si+bJzpK1TGOf+6 IUJMFaVGSevVCZCLxHUEpMVlcCM4QNzBfDMCQQDth7ONM8eaCtm/CesqROvmZPUd +wbiZycuzsinA9FpZZT0UGGEuT4ZnaZkPiQfCnsqRCQ0AUnLgzRgAy/BYpARAkEA 1enT66f1mEvoOoxcgnChCejizks8Mn3ILLuCgOEj0gM+fg3o3+aAdr5gzDBSgtf/ aZmL7GHMGMxRFJAPuoyEdwJBAPWF7C3sgtW4Rqxy4MJ2zp5h72C5rkvs7Rxqma/R GGvsMKINd3Gm1IKUXv5HIPxyHIgrTrgFMsMO81ASiLrPJWw=

-----END RSA PRIVATE KEY-----

Here the prt of the debug file :alt text

Thanks in advance, I am becoming crazy since I have all the files but could no decypt the DATA.

asked 08 Dec '14, 07:47

knacky's gravatar image

knacky
11113
accept rate: 0%

edited 08 Dec '14, 08:02

1

Imho the provided log is not enough. Can you provide more data?

Some general things:

  • Wireshark is only able to decrypt SSL when the full first SSL handshake is available ("Client Hello" with Session-ID = 0)
  • The Key-Exchange should be RSA (not DHE or ECDHE)
  • SSL: "Reassemble SSL records spanning multiple TCP segments" should be enabled
  • TCP: "Allow subdissectors to reassemble TCP streams" should also be enabled
(08 Dec '14, 10:25) Uli

please post the full log file as text and not as screenshot!

As you've already posted the private key, can you please share the public key and the capture file on google drive, dropbox, etc. - and post the link here.

(08 Dec '14, 11:14) Kurt Knochner ♦

Thx guys for your answers.

You can see here the Certificate, what is the public key if I understand well :

-----BEGIN CERTIFICATE-----

MIICnDCCAgWgAwIBAgIJAPGXk7yteXUQMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV BAYTAlNXMQ8wDQYDVQQIDAZHZW5ldmExDzANBgNVBAcMBkdlbmV2YTEUMBIGA1UE CgwLU2t5c29mdC1BVE0xCzAJBgNVBAsMAklUMRMwEQYDVQQDDApEVUZPVVJKRVJP MB4XDTE0MTIwODE1MDkwMloXDTE1MDEwNzE1MDkwMlowZzELMAkGA1UEBhMCU1cx DzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2VuZXZhMRQwEgYDVQQKDAtTa3lz b2Z0LUFUTTELMAkGA1UECwwCSVQxEzARBgNVBAMMCkRVRk9VUkpFUk8wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAO5t8DQ/IdLa+a9bUD4je8zX5wVG5dtob86w Ntl7K06gHs5eMhs55LzsStPuXp8WsgTIJxCjOY9AZl2Iy5cq9S2Kxy9GbmhhnNed TA/dQvX2C2YEeM27Wh0Q1X5LZXqNFrd3Rd4OIVQw95i8OwLyz4D8fY7MYDS/vMPW ywMIV3e7AgMBAAGjUDBOMB0GA1UdDgQWBBTfpYLI0I7y25YqasZD8wALlmi0lTAf BgNVHSMEGDAWgBTfpYLI0I7y25YqasZD8wALlmi0lTAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBQUAA4GBAOoCP3JJETB/vjHgYdY7Bg1Ltsxj/kkAWrlg8CJjJ3PV TCl3RwUmxbAEnxIrITK1i8EJlhiD1xpnNBubvzz101g5Djp0W8gCYU4VEqv7nVQT CxGsdrKkhGnq9PJOago8Ly1HK026QTiIXPFv7mN47ZU2SpLhNLTypO9AOjTPtiFr

-----END CERTIFICATE-----

And Here you can find the Debug.txt

https://drive.google.com/file/d/0BwRtcvviHMo_QVYwU3dBTlRsVUE/view?usp=sharing

My process is simple:

  • I create the certificate
  • I create the private key
  • I convert this key with RSA
  • I simulate the server SSL with open SSL (Windows7)
  • And before to connect with a Client (firefox on ubuntu) I delete all the history to have the full Handshake.

Regarding the 2 last propositions I will check.

  • SSL: "Reassemble SSL records spanning multiple TCP segments" should be enabled
  • TCP: "Allow subdissectors to reassemble TCP streams" should also be enabled

Thanks a lot for your contribution.

(09 Dec '14, 07:53) knacky

One Answer:

1

Let's do an analysis on the debug log, frame 38:

dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session

No pre-master secret read from a keylog file. Should not be a problem since you have a RSA private key.

dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17

Cipher suite ID 0x0005 is RC4-SHA which is not an ECDH suite, so you are able to use the RSA private key.

dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material

This is more problematic, no Master Secret (0x40) nor Pre-Master secret (0x20) could be found. A few frames later (frame 40), the required key material can be generated.

Scanning further through your debug log, it appears that the decryption goes wrong. There was an issue in Wireshark 1.10 which could result in bad decryption for the TLS protocol (memmove vs memcpy). Your debug log says that TLS 1.2 is in use, so you need at least Wireshark 1.12 to get all SSL/TLS dissector improvements.

answered 15 Dec '14, 06:12

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%