This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem in decrypting SSL - Wireshark 1.6.2

0

I am using the current newest version of Wireshark, 1.6.2. I wanted to decrypt an SSL connection. I entered the IP address, port, protocol and .key file in Preferences -> SSL correctly, but the packets are still not decrypted. I am using an Apache webserver, so the keys are all in .pem format. I also tried converting the key and certificate to .pfx format and using it to decrypt, but to no avail. Here is the download link for the pcap capture file, server key, certificate and CSR (It's self-signed and it's only for private academic use so I'm fine sharing it): http://www.mediafire.com/?980y2vwedkf9r6r And I also started capturing packets in Wireshark even before I opened my web browser, so all the handshakes are captured (you can look at my pcap file)

Here is the debug file:

ssl_association_remove removing TCP 443 - http handle 03454E58
ssl_parse: Can't load UAT string "192.168.0.1","443","http","C:\server.key","": ssl_keys:1: File 'C:server.key' does not exist or access is denied.
Private key imported: KeyID ef:d4:b1:da:f3:75:8d:a1:0f:37:87:7b:49:71:f8:2d:...
ssl_init IPv4 addr '192.168.0.1' (192.168.0.1) port '443' filename 'C:\server.key' password(only for p12 file) ''
ssl_init private key file C:\server.key successfully loaded.
association_add TCP port 443 protocol http handle 03454E58
1717 bytes read
PKCS#12 imported
Bag 0/0: Encrypted
Bag 0/0 decrypted: Certificate
Certificate imported: Aldred Benedict <[email protected]>, KeyID efd4b1daf3758da10f37877b4971f82d1a99bd1f
Bag 1/0: PKCS#8 Encrypted key
Private key imported: KeyID ef:d4:b1:da:f3:75:8d:a1:0f:37:87:7b:49:71:f8:2d:...
ssl_init IPv4 addr '192.168.0.1' (192.168.0.1) port '443' filename 'C:\serverCert.pfx' password(only for p12 file) 'caveman'
ssl_init private key file C:\serverCert.pfx successfully loaded.
association_add TCP port 443 protocol http handle 03454E58

dissect_ssl enter frame #21 (first time)
ssl_session_init: initializing ptr 05072A5C size 588
conversation = 050726F4, ssl_session = 05072A5C
record: offset = 0, reported_length_remaining = 163
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 158, ssl state 0x00
association_find: TCP port 1076 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 154 bytes, remaining 163
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.0.1:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #22 (first time)
conversation = 050726F4, ssl_session = 05072A5C
record: offset = 0, reported_length_remaining = 1181
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 53, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x88
record: offset = 58, reported_length_remaining = 1123
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 707, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 63 length 703 bytes, remaining 770
record: offset = 770, reported_length_remaining = 411
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 397, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 775 length 393 bytes, remaining 1172
record: offset = 1172, reported_length_remaining = 9
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1177 length 0 bytes, remaining 1181


dissect_ssl enter frame #32 (first time)
ssl_session_init: initializing ptr 05073484 size 588
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 163
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 158, ssl state 0x00
association_find: TCP port 1077 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 154 bytes, remaining 163
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.0.1:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #33 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 1181
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 53, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x88
record: offset = 58, reported_length_remaining = 1123
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 707, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 63 length 703 bytes, remaining 770
record: offset = 770, reported_length_remaining = 411
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 397, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 775 length 393 bytes, remaining 1172
record: offset = 1172, reported_length_remaining = 9
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1177 length 0 bytes, remaining 1181


dissect_ssl enter frame #34 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 704
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
record: offset = 139, reported_length_remaining = 565
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 145, reported_length_remaining = 559
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 148 offset 150 length 8824632 bytes, remaining 198
record: offset = 198, reported_length_remaining = 506
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548
record: offset = 235, reported_length_remaining = 469
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 464, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548


dissect_ssl enter frame #35 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 266
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 202, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 198 bytes, remaining 207
record: offset = 207, reported_length_remaining = 59
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 213, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 251 offset 218 length 9643165 bytes, remaining 266


dissect_ssl enter frame #36 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 922
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 304, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548
record: offset = 309, reported_length_remaining = 613
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 608, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548


dissect_ssl enter frame #40 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 634
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548
record: offset = 37, reported_length_remaining = 597
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 592, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548


dissect_ssl enter frame #41 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 122
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548
record: offset = 37, reported_length_remaining = 85
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 80, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548


dissect_ssl enter frame #43 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 362
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 304, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548
record: offset = 309, reported_length_remaining = 53
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548


dissect_ssl enter frame #47 (first time)
conversation = 0507311C, ssl_session = 05073484
record: offset = 0, reported_length_remaining = 37
dissect_ssl3_record: content_type 21
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

asked 23 Oct ‘11, 21:35

Caveman's gravatar image

Caveman
26223
accept rate: 50%

edited 23 Oct ‘11, 21:41

One Answer:

0

I figured what's wrong. I used a Diffie-Hellman cipher. That's why the traffic cannot be decrypted.

answered 30 Oct '11, 05:18

Caveman's gravatar image

Caveman
26223
accept rate: 50%