This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why can I no longer decode SSL traffic with Wireshark?

0

I used to export decrypted SSL keys in txt format and store them on my C drive under the root directoryssl keys. I then went into Wireshark and added the path to the key under "RSA Keys List" - Example: 10.10.10.10,443,https,c:sslkeyswww-key.txt

For some reason that no longer works and the only difference I see is a slighty different way of entering that info with Wireshark 1.6.1...and the ability to include passwords (for encrypted keys maybe???). Has there been changes in how this is accomplished that I need to be aware of?

Any ideas what I might be doing wrong. Thanks in advance for any assistance...

asked 29 Aug '11, 13:48

Rathskeller's gravatar image

Rathskeller
1111
accept rate: 0%

Now I've tried the same trace file using the same SSL key with 2 different versions of Wireshark, 1.6.1 and 1.4.3. The earlier version works....the current version does not.

I can't believe this is a bug or someone else would've said something by now. I have to think it's something I'm doing wrong with the new format for entering SSL keys. It looks pretty simple and straight forward. The biggest difference I see is a table to fill out instead of a string....and....in the table I can't put https for protocol, I had to use ssl.

Is ANYONE loading SSL keys into Wireshark and decoding SSL? If so.......is it any different than the older versions?

I hate to downgrade my version of Wireshark to make SSL decode work but I might have to if I can't find anyone making the newest version work.

(30 Aug '11, 12:17) Rathskeller

2 Answers:

2

There were two related bugs reported, which have not been verified yet:

  • 6032 SSL/TLS decryption needs wireshark to be rebooted
  • 6033 SSL/TLS decryption needs a "SSL debug file" in order to work

Can you confirm that configuring the SSL debug file and then restarting wireshark does indeed result in your wireshark 1.6.1 to decrypt the SSL traffic?

answered 30 Aug '11, 12:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks much for the response, sorry so slow to get back...DMZ meltdown.

I do have an SSL debug file..nodding..and I restarted Wireshark...no help. I also renamed the debug file to .bak and tried restarting so I'd have a clean file. When I look at the file it tells me that the ssl keys were successfully loaded. However, when I open my test trace I see messages about not finding its key??

Example from debug file:

ssl_init IPv4 addr '172.24.65.100' (172.24.65.100) port '443' filename 'c:sslkeysolb-prod.txt' password(only for p12 file) '' ssl_init private key file c:sslkeysolb-prod.txt successfully loaded.

Then in the "dissect_ssl" portion I see..........

ssl_find_private_key server 172.24.65.200:443 ssl_find_private_key can't find private key for this server!

I know the key is good because I verified it and re-copied it to make sure it was okay. I'm using the same key with an earlier version of Wireshark and it works??

I still think there's a slight chance I'm doing something wrong but I don't know what.

Dane

(31 Aug '11, 11:38) Rathskeller
2

Please use "Add Comment" to respond to earlier answers, that's the way this site works best (see the FAQ for details).

I hate the one to say it, but have another look at the IP addresses in your reponse.... I think you will be fine now :-)

(31 Aug '11, 12:42) SYN-bit ♦♦

Arggg...(and thanks)......slinks off....

(01 Sep '11, 05:50) Rathskeller

FYI bug 6033 still applies to Wireshark 1.6.4. A debug file fixed my problem.

(18 Dec '11, 14:18) kcd

-1

I dont have an ip conflict and cannot get the SSL traffic to decode

Here is the debug log:

ssl_association_remove removing TCP 8443 - http handle 000000000470FB20
Private key imported: KeyID bc:43:14:85:bd:de:53:9a:67:10:1d:f3:26:9f:b1:42:...
ssl_init IPv4 addr '**75.147.121.41**' (75.147.121.41) port '**8443**' filename 'C:\users\brian\projects\JoxPlz\demo\BaseManagerWan_SecureRawHttpSend\res\tomcat75.pem' password(only for p12 file) ''
ssl_init private key file **C:\users\brian\projects\JoxPlz\demo\BaseManagerWan_SecureRawHttpSend\res\tomcat75.pem successfully loaded.**
association_add TCP port 8443 protocol http handle 000000000470FB20

dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 0000000005FE1D30 size 680 conversation = 0000000005FE1880, ssl_session = 0000000005FE1D30 record: offset = 0, reported_length_remaining = 103 packet_from_server: is from server - FALSE ssl_find_private_key server 75.147.41.121:8443 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! client random len: 32 padded to 32 dissect_ssl2_hnd_client_hello found CLIENT RANDOM -> state 0x01

The key is good as it is used in the transfer and is in correct PEM format; no password needed.

No idea what is wrong. Reboots, restarts, re-entries of parameters all lead to the same thing.

answered 20 Feb ‘12, 14:19

gyannea's gravatar image

gyannea
5114
accept rate: 0%

edited 20 Feb ‘12, 14:34

grahamb's gravatar image

grahamb ♦
19.8k330206

1

This is not an answer to the question asked. Please note that this is not a forum, but a Q&A site (read the FAQ for more details).

I was going to ask you to ask this question as a separate question, but the answer is just too obvious: 75.147.121.41 != 75.147.41.121.

(20 Feb ‘12, 14:37) SYN-bit ♦♦

You should post a new question for your problem as a) it’s not an answer to the original problem, and b) it’s not really related to the original problem, unless you too have misconfigured the addresses.

(20 Feb ‘12, 14:37) grahamb ♦