This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL decode from Websphere

0

Hi, I'm trying to decode traffic from a (windows) browser to a (Linux) Websphere box. So far I have;

  1. User OPENSSL to extract the default private key from Websphere key.p12. This is the websphere keystore used for SSL.
  2. Used OPENSSL to generate an RSA private key, with no password protect. (.pem)
  3. Setup Wireshark as "10.x.x.x,9043,mykey.pem" on the windows client.
  4. Generated some SSL traffic to the websphere box.

Now, the debug file seems to read the private key fine, but I can't get any decoding to work. The first bunch of lines from the debug file now follow.

Any help would be very much appreciated.

Cheers, Con.

ssl_init keys string:
10.0.40.70,9043,http,c:\forget\ferm.pem
ssl_init found host entry 10.0.40.70,9043,http,c:\forget\ferm.pem
ssl_init addr '10.0.40.70' port '9043' filename 'c:\forget\ferm.pem' password(only for p12 file) '(null)'
Private key imported: KeyID 20:F2:56:D7:7F:FC:4B:72:B9:B6:58:9F:56:48:A1:57:...
ssl_init private key file c:\forget\ferm.pem successfully loaded
association_add TCP port 9043 protocol http handle 02D2A998

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 04D31B48 size 564
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 10.0.40.70:9043
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 167
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 162 ssl, state 0x00
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 158 bytes, remaining 167
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #6 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 1460
need_desegmentation: offset = 0, reported_length_remaining = 1460


dissect_ssl enter frame #7 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 1996
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 1991 ssl, state 0x11
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 1996
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 1486 bytes, remaining 1996
dissect_ssl3_handshake iteration 0 type 12 offset 1576 length 412 bytes, remaining 1996
dissect_ssl3_handshake iteration 0 type 14 offset 1992 length 0 bytes, remaining 1996


dissect_ssl enter frame #9 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 198
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139
ssl_decrypt_pre_master_secret key 17 different from KEX_RSA(16)
dissect_ssl3_handshake can't decrypt pre master secret
record: offset = 139, reported_length_remaining = 59
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 145, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 20 offset 150 length 12947981 bytes, remaining 198


dissect_ssl enter frame #11 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER


dissect_ssl enter frame #12 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl, state 0x17
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 93 offset 5 length 5691555 bytes, remaining 53


dissect_ssl enter frame #14 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 533
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 528 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1997 found 00000000
association_find: TCP port 9043 found 062C9F18


dissect_ssl enter frame #16 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 421
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 416 ssl, state 0x17
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 9043 found 062C9F18


dissect_ssl enter frame #17 (first time)
conversation = 04D31870, ssl_session = 04D31B48
record: offset = 0, reported_length_remaining = 581
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 576 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1997 found 00000000
association_find: TCP port 9043 found 062C9F18


dissect_ssl enter frame #19 (first time)

asked 11 Oct ‘11, 12:56

GreyCon's gravatar image

GreyCon
6112
accept rate: 0%

edited 11 Oct ‘11, 13:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

One Answer:

1

The problem is that you are using a DH cipher:

...
dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17
...

(cipher 0x33 = TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

It is not possible to decrypt SSL sessions that use a DH cipher based on network traffic and private key. You could restrict the cipher-list on the client to make sure a (non-DH) cipher is chosen that makes it possible to decrypt.

Cheers,

Sake

answered 11 Oct '11, 13:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Dear Sake, Thank you so much for your prompt and helpful reply. I will have to learn a little more about ciphers :-)

Cheers, Con

(11 Oct '11, 14:17) GreyCon

(converted your answer to a comment, see the FAQ for details)

(11 Oct '11, 14:19) SYN-bit ♦♦