Unable to decrypt diameter SSL messages.

Question

Hi everyone,

I am unable to decrypt the SSL diameter based messages on wireshark even after adding the server.key in RSK key field. This is my ssl debug log.

Wireshark SSL debug log

Wireshark version: 2.0.2 (v2.0.2-0-ga16e22e from master-2.0) GnuTLS version: 3.2.15 Libgcrypt version: 1.6.2

ssl_association_remove removing TCP 3869 - diameter handle 00000000059A7E80 KeyID[20]: | d2 4a 15 8f b6 90 86 a1 2b 8b 64 6d c6 2c 42 8d |.J......+.dm.,B.| | 55 bf 89 04 |U... | ssl_load_key: swapping p and q parameters and recomputing u ssl_init private key file C:/Users/rprasad/Documents/server.key successfully loaded. ssl_init port '3869' filename 'C:/Users/rprasad/Documents/server.key' password(only for p12 file) '' association_add TCP port 3869 protocol ssl handle 00000000059F6010 dissect_ssl enter frame #1575 (first time) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 00000000082F3970 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 128, ssl state 0x10 association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 3869 found 0000000006F5B280 dissect_ssl enter frame #1577 (first time) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 00000000082F3970 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 144, ssl state 0x10 association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #2884 (first time) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 00000000082F3970 record: offset = 0, reported_length_remaining = 309 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 304, ssl state 0x10 association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #2888 (first time) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 00000000082F3970 record: offset = 0, reported_length_remaining = 805 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 800, ssl state 0x10 association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1577 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2884 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 309 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2888 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 805 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1577 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2884 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 309 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2888 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 805 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1577 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2884 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 309 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2888 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 805 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1577 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2884 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 309 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2888 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 805 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1575 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 133 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #1577 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2884 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 309 dissect_ssl3_record: content_type 23 Application Data dissect_ssl enter frame #2888 (already visited) association_find: TCP port 3869 found 0000000006F5B280 packet_from_server: is from server - TRUE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 805 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #1577 (already visited) association_find: TCP port 6551 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000000082F34A0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 149 dissect_ssl3_record: content_type 23 Application Data

Accepted Answer

0

Hello Jeff, I re created the RSA key and added the same in Wireshark and it looks to be working fine now. Thank you..

answered 03 Jun '16, 10:48

M Roshan Prasad
31●1●1●3
accept rate: 100%

Great. I'll Accept your answer so that your question will show up as having been answered--see the FAQ for details.

(03 Jun '16, 13:00) JeffMorriss ♦

Hello Jeff. Looks like my wire shark is able to do a follow SSL stream only when there is a start of the TLS session, with "server hello" message and certificate exchange messages.

(08 Jun '16, 03:09) M Roshan Prasad

and the next consecutive messages i am not able to do the Follow SSL stream.

(08 Jun '16, 03:10) M Roshan Prasad

i have uploaded the same in cloudshark.org, the one with Server Hello you can find in https://www.cloudshark.org/captures/4baddb1bc4fa and the next consecutive where i am not able to do a Follow SSL Stream is in https://www.cloudshark.org/captures/1c0406a67f7c. Please help me with this

(08 Jun '16, 03:15) M Roshan Prasad

Like any of the tutorials or answers, will tell you

Important: The capture must include the initial SSL/TLS session establishment. In other words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a session has been resumed. Ideally, ensure any capture either a) is of packets related to an entirely new device connecting or b) where a device that has already previously established a session is used, it is used after a considerable time after the last session was established.

(08 Jun '16, 03:43) Jaap ♦