This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Decryption Problems

0

I am trying to decrypt an SSL Session in Wireshark. I have loaded the p12 file(including password) into wireshark. Here is the debug output:

2686 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
Private key imported: KeyID <keyID#1>...
Bag 1/0: Encrypted
Bag 1/0 decrypted: Certificate
Certificate imported: <password> <<remoteDomain>>, KeyID <keyID#2>
ssl_init IPv4 addr '<LocalIP>' (<LocalIP>) port '59199' filename 'C:\Users\dbeutler\Desktop\test.p12' <password>(only for p12 file) '<password>'
ssl_init private key file C:\Users\dbeutler\Desktop\test.p12 successfully loaded.
association_add TCP port 59199 protocol http handle 0000000003FF9A90

dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 0000000005AF1D00 size 680 conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00 record: offset = 0, reported_length_remaining = 88 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 83, ssl state 0x00 association_find: TCP port 59199 found 0000000004A74800 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88 packet_from_server: is from server - FALSE ssl_find_private_key server <RemoteIP>:443 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time) conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00 record: offset = 0, reported_length_remaining = 150 dissect_ssl3_record found version 0x0300 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 79, reported_length_remaining = 71 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 85, reported_length_remaining = 65 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 60, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 194 offset 90 length 16556088 bytes, remaining 150

dissect_ssl enter frame #7 (first time) conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00 record: offset = 0, reported_length_remaining = 388 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 382 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 60, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 252 offset 11 length 10477783 bytes, remaining 71 record: offset = 71, reported_length_remaining = 317 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 312, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 59199 found 0000000004A74800

dissect_ssl enter frame #8 (first time) conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00 record: offset = 0, reported_length_remaining = 50 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 45, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004990C80

dissect_ssl enter frame #9 (first time) conversation = 0000000005AF1880, ssl_session = 0000000005AF1D00 record: offset = 0, reported_length_remaining = 735 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 730, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 59199 found 0000000004A74800

dissect_ssl enter frame #4 (already visited) conversation = 0000000005AF1880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 88 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88

dissect_ssl enter frame #6 (already visited) conversation = 0000000005AF1880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 150 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 record: offset = 79, reported_length_remaining = 71 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec record: offset = 85, reported_length_remaining = 65 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 194 offset 90 length 16556088 bytes, remaining 150

dissect_ssl enter frame #7 (already visited) conversation = 0000000005AF1880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 388 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec record: offset = 6, reported_length_remaining = 382 dissect_ssl3_record: content_type 22 dissect_ssl3_handshake iteration 1 type 252 offset 11 length 10477783 bytes, remaining 71 record: offset = 71, reported_length_remaining = 317 dissect_ssl3_record: content_type 23 association_find: TCP port 59199 found 0000000004A74800

dissect_ssl enter frame #8 (already visited) conversation = 0000000005AF1880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 50 dissect_ssl3_record: content_type 23 association_find: TCP port 443 found 0000000004990C80

dissect_ssl enter frame #9 (already visited) conversation = 0000000005AF1880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 735 dissect_ssl3_record: content_type 23 association_find: TCP port 59199 found 0000000004A74800

Any help would be appreciated… Thanks, Danny

asked 16 Sep ‘11, 10:17

dbeutler's gravatar image

dbeutler
1223
accept rate: 0%

edited 16 Sep ‘11, 11:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


One Answer:

0

It would help if you also posted the way you configured the key list in the ssl protocol preferences, as it looks like you entered it incorrect.

This is how it should be:

<ip-adress-of-server>,<port-on-server>,http,<path-to-server-private-key>,<password-if-pkcs12-key>

So when connecting to a https-webserver on 1.1.1.1:443 from a client 10.0.0.1:12345, you would enter:

1.1.1.1,443,http,/tmp/keyfile.pem  or
1.1.1.1,443,http,/tmp/keyfile.pkcs12,mysecretpassword

Hope this helps!

answered 16 Sep '11, 12:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%