This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Follow SSL stream using Master-key and Session-ID

5
3

Hello I'm debugging my SSL application and would be great if I could capture SSL stream using Wireshark and then follow it decrypted. It is not possible to obtain server's private key in my case

But as a client application I can read the whole stream fine and can dump all needed information for decryption, like Session-ID and Master-key, ex:

> openssl s_client -connect mail.google.com:443 -ssl3

Loading 'screen' into random state - done CONNECTED(00000180) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0

Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Server certificate —–BEGIN CERTIFICATE—– MIIDIjCCAougAwIBAgIQHxn23jXdY6FCkYrVLMCrEjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBANknyBHye+RFyUa2Y3WDsXd+F0GJgDjxRSegPNnoqABL2QfQut7t9CymrNwn E+wMwaaZF0LmjSfSgRSwS4L6ssXQuyBZYiijlrVh9nbBbUbS/brGDz3RyXeaWDP2 BnYyrVFfKV9u+BKLrebFCDmzQ0OpW5Ed1+PPUd91WY6NgKtTAgMBAAGjgecwgeQw DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0 ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0 cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3 dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF BQADgYEAicju7fexy+yRP2drx57Tcqo+BElR1CiHNZ1nhPmS9QSZaudDA8jy25IP VWvjEgaq13Hro0Hg32ZNVK53qcXwjWtnCAReojvNwj6/x1Ciq5B6D7E6eiYDSfXJ 8/a2vR5IbgY89nq+wuHaA6vspH6vNR848xO3z1PQ7BrIjnYQ1A0= —–END CERTIFICATE—– subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

No client certificate CA names sent

SSL handshake has read 1797 bytes and written 296 bytes

New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : RC4-SHA Session-ID: B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26 Session-ID-ctx: Master-Key: 454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4 Key-Arg : None Start Time: 1306318364 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) —

Is it possible somehow to follow decrypted stream in Wireshark without server’s private key but having client’s Master-Key and Session-ID?

asked 25 May ‘11, 03:22

tosiara's gravatar image

tosiara
81235
accept rate: 0%


2 Answers:

6

OK, forget my last answer... as of today, it is possible to use the "openssl s_client" output to do decryption. I added this to the keylog option that was already there. You can now use the format:

RSA Session-ID:xxxx Master-Key:xxxx

In the key log file to decrypt the session. In your case that would be:

RSA Session-ID:B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26 Master-Key:454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4

You will need to build your own version from "trunk" or use an automated build which will be available in a couple of hours. Please use a version with a number higher or equal to 37401.

I hope this works for you :-)

answered 25 May '11, 14:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Great, that works!!! Thank you very much!

Only one small note: if keylog file does not contain trailing CRLF I receive this error:

trying to use SSL keylog in c:\rsa.log checking keylog line: RSA Session-ID:451C00005EC950112D2156C2FDC29BB71A3CA320CEE28FC2DA786AD6F5E5102E Master-Key:DD81A0D7D526740CDEB1AB6DE421102F52C781547A06F6A6480D6055846BB7FFB8CCBCB09FC1A38CC4610135F0F17C4 line contains non-hex chars in master secret

But after adding CRLF at the end - all works perfect!

(26 May '11, 03:22) tosiara

I'm glad it works for you too :-)

Indeed the code requires all lines to be terminated with a newline character.

(26 May '11, 04:59) SYN-bit ♦♦

Although the s_client shows a Session-ID, this will be useless if it is not sent to the server (Session-ID 0 in the capture). You can still try to match a known master key with a request using CLIENT_RANDOM by looking at the traffic. See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9144#c5 for parsing s_client output to generate a CLIENT_RANDOM line.

(14 Sep '13, 10:57) Lekensteyn

2

At the moment "No, not directly". There has been code added that reads in a file with a list of decrypted PreMasterSecrets, indexed by the first 8 bytes (IIRC) of the Encrypted PreMasterSecret. It has been added by a developer that also added a debug option to the SSL library of Firefox/Chrome to export this data (see Bug 4349)

So at the moment, you might be able to fabricate the file yourself based on the tracefile and the "openssl s_client" output. In the future there might be more options added to import/export session keys to make decryption possible without obtaining (or exposing) the private key.

answered 25 May '11, 07:15

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I'm glad you knew this SYN..my knee-jerk reaction to this question was "No - never". It makes sense that this would be possible, but considering the work necessary on the user end I figured it would never be an option.

(25 May '11, 08:16) GeonJay

I'm sorry, the route of creating a keylog file yourself based on the openssl s_client output won't work. I just tried it myself, but the input from the key-log file is a PreMasterSecret, while the output of openssl s_cient is the MasterSecret.

I need to dig into SSL some more again to see whether the MasterSecret contains enough information to decrypt the session. If it does, then it is possible to extend the decryption engine to also take the MasterSecret from the s_client output. But someone needs to find the time to code it...

(25 May '11, 09:28) SYN-bit ♦♦