This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decryption Problems

0

I am trying to decrypt an SSL Session in Wireshark. I have loaded the p12 file(including password) into wireshark. Here is the debug output:

2686 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
Private key imported: KeyID <keyID#1>...
Bag 1/0: Encrypted
Bag 1/0 decrypted: Certificate
Certificate imported: <password> <<remoteDomain>>, KeyID <keyID#2>
ssl_init IPv4 addr '<LocalIP>' (<LocalIP>) port '59199' filename 'C:\Users\dbeutler\Desktop\test.p12' <password>(only for p12 file) '<password>'
ssl_init private key file C:\Users\dbeutler\Desktop\test.p12 successfully loaded.
association_add TCP port 59199 protocol http handle 0000000003FF9A90

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 0000000005AF1D00 size 680
conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
record: offset = 0, reported_length_remaining = 88
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 83, ssl state 0x00
association_find: TCP port 59199 found 0000000004A74800
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88
packet_from_server: is from server - FALSE
ssl_find_private_key server <RemoteIP>:443
ssl_find_private_key can't find private key for this server! Try it again with universal port 0
ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0
ssl_find_private_key can't find any private key!
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #6 (first time)
conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
record: offset = 0, reported_length_remaining = 150
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
record: offset = 79, reported_length_remaining = 71
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 85, reported_length_remaining = 65
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 60, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 194 offset 90 length 16556088 bytes, remaining 150


dissect_ssl enter frame #7 (first time)
conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
record: offset = 0, reported_length_remaining = 388
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 6, reported_length_remaining = 382
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 60, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 252 offset 11 length 10477783 bytes, remaining 71
record: offset = 71, reported_length_remaining = 317
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 312, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59199 found 0000000004A74800


dissect_ssl enter frame #8 (first time)
conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
record: offset = 0, reported_length_remaining = 50
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 45, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0000000004990C80


dissect_ssl enter frame #9 (first time)
conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00
record: offset = 0, reported_length_remaining = 735
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 730, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59199 found 0000000004A74800


dissect_ssl enter frame #4 (already visited)
conversation = 0000000005AF1880, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 88
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88


dissect_ssl enter frame #6 (already visited)
conversation = 0000000005AF1880, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 150
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79
record: offset = 79, reported_length_remaining = 71
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
record: offset = 85, reported_length_remaining = 65
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 194 offset 90 length 16556088 bytes, remaining 150


dissect_ssl enter frame #7 (already visited)
conversation = 0000000005AF1880, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 388
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
record: offset = 6, reported_length_remaining = 382
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 252 offset 11 length 10477783 bytes, remaining 71
record: offset = 71, reported_length_remaining = 317
dissect_ssl3_record: content_type 23
association_find: TCP port 59199 found 0000000004A74800


dissect_ssl enter frame #8 (already visited)
conversation = 0000000005AF1880, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 50
dissect_ssl3_record: content_type 23
association_find: TCP port 443 found 0000000004990C80


dissect_ssl enter frame #9 (already visited)
conversation = 0000000005AF1880, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 735
dissect_ssl3_record: content_type 23
association_find: TCP port 59199 found 0000000004A74800

Any help would be appreciated… Thanks, Danny

asked 16 Sep ‘11, 10:17

dbeutler's gravatar image

dbeutler
1223
accept rate: 0%

edited 16 Sep ‘11, 11:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

One Answer:

0

It would help if you also posted the way you configured the key list in the ssl protocol preferences, as it looks like you entered it incorrect.

This is how it should be:

<ip-adress-of-server>,<port-on-server>,http,<path-to-server-private-key>,<password-if-pkcs12-key>

So when connecting to a https-webserver on 1.1.1.1:443 from a client 10.0.0.1:12345, you would enter:

1.1.1.1,443,http,/tmp/keyfile.pem  or
1.1.1.1,443,http,/tmp/keyfile.pkcs12,mysecretpassword

Hope this helps!

answered 16 Sep '11, 12:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%