This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL decode from Websphere

0

Hi, I'm trying to decode traffic from a (windows) browser to a (Linux) Websphere box. So far I have;

  1. User OPENSSL to extract the default private key from Websphere key.p12. This is the websphere keystore used for SSL.
  2. Used OPENSSL to generate an RSA private key, with no password protect. (.pem)
  3. Setup Wireshark as "10.x.x.x,9043,mykey.pem" on the windows client.
  4. Generated some SSL traffic to the websphere box.

Now, the debug file seems to read the private key fine, but I can't get any decoding to work. The first bunch of lines from the debug file now follow.

Any help would be very much appreciated.

Cheers, Con.

ssl_init keys string:
10.0.40.70,9043,http,c:\forget\ferm.pem
ssl_init found host entry 10.0.40.70,9043,http,c:\forget\ferm.pem
ssl_init addr '10.0.40.70' port '9043' filename 'c:\forget\ferm.pem' password(only for p12 file) '(null)'
Private key imported: KeyID 20:F2:56:D7:7F:FC:4B:72:B9:B6:58:9F:56:48:A1:57:...
ssl_init private key file c:\forget\ferm.pem successfully loaded
association_add TCP port 9043 protocol http handle 02D2A998

dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 04D31B48 size 564 association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE dissect_ssl server 10.0.40.70:9043 conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 167 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 162 ssl, state 0x00 association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 158 bytes, remaining 167 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 1460 need_desegmentation: offset = 0, reported_length_remaining = 1460

dissect_ssl enter frame #7 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 1996 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 1991 ssl, state 0x11 association_find: TCP port 9043 found 062C9F18 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 1996 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material dissect_ssl3_handshake iteration 0 type 11 offset 86 length 1486 bytes, remaining 1996 dissect_ssl3_handshake iteration 0 type 12 offset 1576 length 412 bytes, remaining 1996 dissect_ssl3_handshake iteration 0 type 14 offset 1992 length 0 bytes, remaining 1996

dissect_ssl enter frame #9 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 198 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 134 ssl, state 0x17 association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 ssl_decrypt_pre_master_secret key 17 different from KEX_RSA(16) dissect_ssl3_handshake can't decrypt pre master secret record: offset = 139, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 145, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 48 ssl, state 0x17 association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 20 offset 150 length 12947981 bytes, remaining 198

dissect_ssl enter frame #11 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec association_find: TCP port 9043 found 062C9F18 packet_from_server: is from server - TRUE ssl_change_cipher SERVER

dissect_ssl enter frame #12 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 48 ssl, state 0x17 association_find: TCP port 9043 found 062C9F18 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 93 offset 5 length 5691555 bytes, remaining 53

dissect_ssl enter frame #14 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 533 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 528 ssl, state 0x17 association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1997 found 00000000 association_find: TCP port 9043 found 062C9F18

dissect_ssl enter frame #16 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 421 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 416 ssl, state 0x17 association_find: TCP port 9043 found 062C9F18 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 9043 found 062C9F18

dissect_ssl enter frame #17 (first time) conversation = 04D31870, ssl_session = 04D31B48 record: offset = 0, reported_length_remaining = 581 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 576 ssl, state 0x17 association_find: TCP port 1997 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 1997 found 00000000 association_find: TCP port 9043 found 062C9F18

dissect_ssl enter frame #19 (first time)

asked 11 Oct ‘11, 12:56

GreyCon's gravatar image

GreyCon
6112
accept rate: 0%

edited 11 Oct ‘11, 13:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


One Answer:

1

The problem is that you are using a DH cipher:

...
dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17
...

(cipher 0x33 = TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

It is not possible to decrypt SSL sessions that use a DH cipher based on network traffic and private key. You could restrict the cipher-list on the client to make sure a (non-DH) cipher is chosen that makes it possible to decrypt.

Cheers,

Sake

answered 11 Oct '11, 13:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Dear Sake, Thank you so much for your prompt and helpful reply. I will have to learn a little more about ciphers :-)

Cheers, Con

(11 Oct '11, 14:17) GreyCon

(converted your answer to a comment, see the FAQ for details)

(11 Oct '11, 14:19) SYN-bit ♦♦