This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TLSv1 Decryption Problem

0

Hello,

I'm having problems decrypting HTTPS TLSv1 traffic. I've set up a Windows Server 2012 VM with IIS and I've only allowed RSA cipher suites.

I start the capture, open the browser and the page and then stop the capture.

Then I configure the private key on Wireshark but the traffic does not get decrypted.

I found an error regarding the Pre Master Secret but I'm sure that this is the correct private key and certificate.

At the end of the post you'll find the contents of the SSL log file.

Regards,

Chris

Wireshark SSL debug log 

ssl_association_remove removing TCP 443 - http handle 0000000004453240
Private key imported: KeyID 75:a5:a6:2c:01:a5:7c:34:a5:4a:a0:e9:c3:74:4f:18:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.0.9' (192.168.0.9) port '443' filename 'C:\Users\chris_000\Desktop\key.pem' password(only for p12 file) ''
ssl_init private key file C:\Users\chris_000\Desktop\key.pem successfully loaded.
association_add TCP port 443 protocol http handle 0000000004453240

dissect_ssl enter frame #8 (first time)
ssl_session_init: initializing ptr 000000000A5D1790 size 712
association_find: TCP port 60866 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 0000000005771098, ssl_session = 000000000A5D1790
  record: offset = 0, reported_length_remaining = 223
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 218, ssl state 0x00
association_find: TCP port 60866 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 214 bytes, remaining 223 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.0.9:443
ssl_find_private_key: testing 1 keys
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #13 (first time)
ssl_session_init: initializing ptr 000000000A5D2280 size 712
association_find: TCP port 60867 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 175
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 170, ssl state 0x00
association_find: TCP port 60867 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 166 bytes, remaining 175 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.0.9:443
ssl_find_private_key: testing 1 keys
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 965
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 960, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 965 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 871 bytes, remaining 965 
dissect_ssl3_handshake iteration 0 type 14 offset 961 length 0 bytes, remaining 965

dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 314
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
pre master encrypted[256]:
| 07 6a 72 cb 03 09 9c 0e 23 c6 23 7f 2c 3d 85 6b |.jr.....#.#.,=.k|
| 67 cf 4b eb 2a 4d 9d 06 2a 7c 75 b5 d5 bf fc 47 |g.K.*M..*|u....G|
| 5e d0 5b cd 86 0e 77 03 58 1d 49 a7 a5 fb 22 a7 |^.[...w.X.I...".|
| e0 b0 1d 3b 90 7d cb 61 35 24 9a f2 3d 3d 14 49 |...;.}.a5$..==.I|
| 25 8a 05 2e da 0c ee f7 01 8d 9c 1f 63 75 49 ba |%...........cuI.|
| b7 ea 43 1e b7 75 53 a7 40 6b d7 45 d9 65 4a ef |..C..uS.@k.E.eJ.|
| 2c b8 7a a5 88 b6 21 ce f9 3e a2 c1 70 b4 2a a1 |,.z...!..>..p.*.|
| e5 38 59 52 88 48 ee 0f e6 8a 60 65 37 d9 76 3b |.8YR.H....`e7.v;|
| fb e6 f0 5d c0 5b 93 e7 8d 27 dd d0 7c 6c 4b 99 |...].[...'..|lK.|
| 0e 3f e2 fd da ba d4 1d c7 87 19 28 30 40 24 c2 |.?.........([email protected]$.|
| 00 e3 96 13 68 20 8c 85 9d ab 9e 61 7b b8 f1 15 |....h .....a{...|
| 5b e5 cd a5 d0 19 bf 4b f9 56 3f 80 a6 a2 f6 37 |[......K.V?....7|
| 69 14 b6 e2 28 97 2c 6b fc 16 19 0e 67 75 eb b2 |i...(.,k....gu..|
| f3 85 3e 06 bd 76 10 73 95 e7 bf bf 73 f3 c7 57 |..>..v.s....s..W|
| 35 09 d9 e0 34 59 97 b6 40 af fd 64 5e dd e2 7a |[email protected]^..z|
| cd 81 7f 7b e0 8a 51 3c cc a9 93 9e ef 0b 64 5a |...{..Q<......dZ|
ssl_decrypt_pre_master_secret:RSA_private_decrypt
decrypted_unstrip_pre_master[256]:
| 07 f9 03 9c 86 87 14 37 b8 47 54 e2 b4 d8 45 04 |.......7.GT...E.|
| 73 28 ca b0 c0 14 7e 48 6b fb c1 01 9f 2e 4d ac |s(....~Hk.....M.|
| 16 b8 a0 b5 22 8b 47 9a f9 4f 81 b6 fb c6 c8 c6 |....".G..O......|
| ab af 11 8d c8 4c 6b 74 96 2c 9c f0 ef bb cf 3e |.....Lkt.,.....>|
| fd 3d 65 67 87 c9 ed 63 9d 1e 69 df 0f 48 86 47 |.=eg...c..i..H.G|
| f5 d7 9f ad 2e c4 46 39 68 b3 cf a8 83 8b 1f 6e |......F9h......n|
| f9 23 9b 7a f9 10 ff f2 0f 84 63 6c a9 25 0a 1f |.#.z......cl.%..|
| 48 7b 63 55 7b ab 3e 66 85 fd b7 71 9e eb 4f 8f |H{cU{.>f...q..O.|
| b9 af 94 13 98 75 52 1e 85 67 fc bd ba e5 f0 05 |.....uR..g......|
| 28 7d da e3 06 38 21 4b f1 7d 50 c3 9d 86 bd 83 |(}...8!K.}P.....|
| 3c 03 10 38 5a cf 3e 9d d8 73 b7 aa b5 f2 48 4b |<..8Z.>..s....HK|
| 74 af 39 4a fb e5 ce 33 27 e6 a6 08 a9 99 71 d1 |t.9J...3'.....q.|
| 80 a7 44 89 7e f4 9c 43 ac 57 2a ad fd ca 02 18 |..D.~..C.W*.....|
| 2a a4 a7 3c 5d d8 32 dc fa e6 1e 30 14 53 7a a8 |*..<].2....0.Sz.|
| bb 5c f0 75 18 52 74 6e 3c 86 40 7d b4 af 2b 08 |.\.u.Rtn<[email protected]}..+.|
| d9 5f 75 cf 87 59 b8 88 6e dd a3 4f 27 ff ff ff |._u..Y..n..O'...|
pcry_private_decrypt: stripping 0 bytes, decr_len 256
ssl_decrypt_pre_master_secret wrong pre_master_secret length (256, expected 48)
ssl_generate_pre_master_secret: can't decrypt pre master secret
trying to use SSL keylog in c:\sslkeylogfile.log
failed to open SSL keylog
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 267, reported_length_remaining = 47
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 273, reported_length_remaining = 41
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 36, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 32 offset 278 length 3561692 bytes, remaining 314

dissect_ssl enter frame #17 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 47
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 6, reported_length_remaining = 41
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 36, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 84 offset 11 length 1500765 bytes, remaining 47

dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 318
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 313, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 60867 found 0000000000000000
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #20 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 948
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 943, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 393
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 388, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 60867 found 0000000000000000
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #23 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 1460
  need_desegmentation: offset = 0, reported_length_remaining = 1460

dissect_ssl enter frame #35 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 16409
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 16404, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #35 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 1111
  need_desegmentation: offset = 0, reported_length_remaining = 1111

dissect_ssl enter frame #47 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 16409
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 16404, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #47 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 762
  need_desegmentation: offset = 0, reported_length_remaining = 762

dissect_ssl enter frame #59 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 16409
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 16404, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #59 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 413
  need_desegmentation: offset = 0, reported_length_remaining = 413

dissect_ssl enter frame #71 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 16409
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 16404, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #71 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 64
  need_desegmentation: offset = 0, reported_length_remaining = 64

dissect_ssl enter frame #72 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 245, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #74 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 1460
  need_desegmentation: offset = 0, reported_length_remaining = 1460

dissect_ssl enter frame #85 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 16409
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 16404, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #85 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 1111
  need_desegmentation: offset = 0, reported_length_remaining = 1111

dissect_ssl enter frame #97 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 16409
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 16404, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #97 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 762
  need_desegmentation: offset = 0, reported_length_remaining = 762

dissect_ssl enter frame #98 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 000000000A5D2280
  record: offset = 0, reported_length_remaining = 1431
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1426, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771098, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 223
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 214 bytes, remaining 223

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 175
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 166 bytes, remaining 175

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 965
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 965 
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 871 bytes, remaining 965 
dissect_ssl3_handshake iteration 0 type 14 offset 961 length 0 bytes, remaining 965

dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 314
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 47
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 41
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 32 offset 278 length 3561692 bytes, remaining 314

dissect_ssl enter frame #17 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 47
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 6, reported_length_remaining = 41
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 84 offset 11 length 1500765 bytes, remaining 47

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 318
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 60867 found 0000000000000000
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #20 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 948
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #22 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 393
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 60867 found 0000000000000000
association_find: TCP port 443 found 0000000004D24240

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 175
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 166 bytes, remaining 175

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 965
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 965 
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 871 bytes, remaining 965 
dissect_ssl3_handshake iteration 0 type 14 offset 961 length 0 bytes, remaining 965

dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000005771240, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 314
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 47
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 41
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 32 offset 278 length 3561692 bytes, remaining 314

asked 17 Oct '15, 10:06

CPolydorou's gravatar image

CPolydorou
6113
accept rate: 0%

edited 18 Oct '15, 14:22

grahamb's gravatar image

grahamb ♦
19.8k330206
One Answer:
active answersoldest answersnewest answerspopular answers
0

Please try first to use the snakeoil2 sample capture. https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=snakeoil2_070531.tgz

Are you able to decrypt it ?

If you can, please upload the key.

permanent link

answered 18 Oct '15, 02:26

adasko's gravatar image

adasko
86343842
accept rate: 0%

edited 19 Oct '15, 05:51

Hi,

I tried to open the file in the tar archive but there are not packets. The private key is missing also.

I'm using Wireshark 1.12.8 on Windows.

(18 Oct '15, 03:27) CPolydorou

there is a .cap file and the private key inside:

alt text

(18 Oct '15, 03:36) adasko

Never mind, the extension of the file in the archive is missing, that confused me a little bit.

I can decrypt the sample traffic.

I run the browser on another VM, where Wireshark is installed.

Thanks

(18 Oct '15, 03:37) CPolydorou

The Private Key uploaded to Wireshark is the one from the VM running IIS, right ?

(18 Oct '15, 03:38) adasko

Yes. I've uploaded the files here

(18 Oct '15, 03:42) CPolydorou

the .pfx is password protected, can you send it as a pm it to me ?

(18 Oct '15, 03:50) adasko

The password is PasswordForCertificate.

Sorry, I forgot that.

I've also updated the file with the certificate in PEM format converted using openssl.

(18 Oct '15, 03:56) CPolydorou

did you select any other other options beside the default ones ? alt text

(18 Oct '15, 04:32) adasko

Yes the first and the last ones.

(18 Oct '15, 04:56) CPolydorou

try to export it the same options selected as on my screenshot. next convert the private key file in PKCS12 format to PEM format:

openssl pkcs12 -nodes -in your.pfx -out key.pem -nocerts -nodes

c:\OpenSSL-Win32\bin> openssl rsa -in key.pem -out keyout.pem

let me know if that works

(18 Oct '15, 05:02) adasko

I didn't work...

(18 Oct '15, 05:14) CPolydorou

can you please upload the new files...

(18 Oct '15, 05:16) adasko

I'm trying to post the link but I get invalid captcha...

I can't post it here because of SPAM filtering.

(18 Oct '15, 05:35) CPolydorou

when you open the "keyout.pem" do you see it in the following format:

-----BEGIN RSA PRIVATE KEY-----

blablalablablalbalalbalbalbb blablalblalblablalbblblalba..

-----END RSA PRIVATE KEY-----

(18 Oct '15, 05:36) adasko

Yes. I've updated the contents of the first file I've shared with the new files.

Have you tested these files?

(18 Oct '15, 05:39) CPolydorou

well, I'm still not able to decrypt it. Just to double check, you did the export on the server NOT the client, right ? and you are sure that it's the correct one ?

(18 Oct '15, 07:36) adasko

Yes. I do not have any other certificates on the server. I also tried with other cipher suites without any luck.

(18 Oct '15, 08:47) CPolydorou

From https://wiki.wireshark.org/SSL

"The RSA key file can either be a PEM format private key or a PKCS#12 keystore. If the file is a PKCS#12 keystore (typically a file with a .pfx or .p12 extension), the password for the keystore must be specified in the Password field."

Tried with the .pfx you provided, still no luck. I'm puzzled.

Will try to reproduce it tomorrow.

(18 Oct '15, 09:13) adasko

I've tried that also.

Just tried with Wireshark 2.0.0.rc1 with the same results.

(18 Oct '15, 09:15) CPolydorou

one note, the certificate and Private Key match (it was mentioned in other posts that a mismatch can cause issues) but this is not the case ... alt text

(18 Oct '15, 10:04) adasko

guys, please post comments as comments not "answers". I've just spent several minutes of my spare time cleaning up your "answers".

Please read the FAQ for more information.

(18 Oct '15, 14:28) grahamb ♦
showing 5 of 21 show 16 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×165
×23

question asked: 17 Oct '15, 10:06

question was seen: 2,006 times

last updated: 19 Oct '15, 05:51

Related questions

Decrypting your own Tlsv1 packets?

decrypting SSL packets on Chromium or Opera does not work?

SSL decrypting problem

SSL Decryption Error

Can't save the decrypted data in wireshark

LDAP SSL decrypt issue

Filtering TShark output to only capture decrypted hexadecimal

Trying to decrypt messages to and from my chat client

tshark: command syntax for decrypting TLS traffic from 2 or more servers

Wireshark isn't decrypting my 802.11 traffic

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A