This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I'm trying to decode traffic from a (windows) browser to a (Linux) Websphere box. So far I have;

  1. User OPENSSL to extract the default private key from Websphere key.p12. This is the websphere keystore used for SSL.
  2. Used OPENSSL to generate an RSA private key, with no password protect. (.pem)
  3. Setup Wireshark as "10.x.x.x,9043,mykey.pem" on the windows client.
  4. Generated some SSL traffic to the websphere box.

Now, the debug file seems to read the private key fine, but I can't get any decoding to work. The first bunch of lines from the debug file now follow.

Any help would be very much appreciated.

Cheers, Con.

ssl_init keys string:
10.0.40.70,9043,http,c:\forget\ferm.pem
ssl_init found host entry 10.0.40.70,9043,http,c:\forget\ferm.pem
ssl_init addr '10.0.40.70' port '9043' filename 'c:\forget\ferm.pem' password(only for p12 file) '(null)'
Private key imported: KeyID 20:F2:56:D7:7F:FC:4B:72:B9:B6:58:9F:56:48:A1:57:...
ssl_init private key file c:\forget\ferm.pem successfully loaded
association_add TCP port 9043 protocol http handle 02D2A998

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 04D31B48 size 564
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 10.0.40.70:9043
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 167
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 162 ssl, state 0x00
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 158 bytes, remaining 167 
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 1460
  need_desegmentation: offset = 0, reported_length_remaining = 1460

dissect_ssl enter frame #7 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 1996
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 1991 ssl, state 0x11
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 1996 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 1486 bytes, remaining 1996 
dissect_ssl3_handshake iteration 0 type 12 offset 1576 length 412 bytes, remaining 1996 
dissect_ssl3_handshake iteration 0 type 14 offset 1992 length 0 bytes, remaining 1996

dissect_ssl enter frame #9 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 198
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 
ssl_decrypt_pre_master_secret key 17 different from KEX_RSA(16)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 139, reported_length_remaining = 59
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 145, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 20 offset 150 length 12947981 bytes, remaining 198

dissect_ssl enter frame #11 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER

dissect_ssl enter frame #12 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl, state 0x17
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 93 offset 5 length 5691555 bytes, remaining 53

dissect_ssl enter frame #14 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 533
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 528 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1997 found 00000000
association_find: TCP port 9043 found 062C9F18

dissect_ssl enter frame #16 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 421
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 416 ssl, state 0x17
association_find: TCP port 9043 found 062C9F18
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 9043 found 062C9F18

dissect_ssl enter frame #17 (first time)
  conversation = 04D31870, ssl_session = 04D31B48
  record: offset = 0, reported_length_remaining = 581
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 576 ssl, state 0x17
association_find: TCP port 1997 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1997 found 00000000
association_find: TCP port 9043 found 062C9F18

dissect_ssl enter frame #19 (first time)

asked 11 Oct '11, 12:56

GreyCon's gravatar image

GreyCon
6112
accept rate: 0%

edited 11 Oct '11, 13:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


The problem is that you are using a DH cipher:

...
dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17
...

(cipher 0x33 = TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

It is not possible to decrypt SSL sessions that use a DH cipher based on network traffic and private key. You could restrict the cipher-list on the client to make sure a (non-DH) cipher is chosen that makes it possible to decrypt.

Cheers,

Sake

permanent link

answered 11 Oct '11, 13:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Dear Sake, Thank you so much for your prompt and helpful reply. I will have to learn a little more about ciphers :-)

Cheers, Con

(11 Oct '11, 14:17) GreyCon

(converted your answer to a comment, see the FAQ for details)

(11 Oct '11, 14:19) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×2

question asked: 11 Oct '11, 12:56

question was seen: 3,719 times

last updated: 11 Oct '11, 14:19

p​o​w​e​r​e​d by O​S​Q​A