This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem in decrypting SSL - Wireshark 1.6.2

0

I am using the current newest version of Wireshark, 1.6.2. I wanted to decrypt an SSL connection. I entered the IP address, port, protocol and .key file in Preferences -> SSL correctly, but the packets are still not decrypted. I am using an Apache webserver, so the keys are all in .pem format. I also tried converting the key and certificate to .pfx format and using it to decrypt, but to no avail. Here is the download link for the pcap capture file, server key, certificate and CSR (It's self-signed and it's only for private academic use so I'm fine sharing it): http://www.mediafire.com/?980y2vwedkf9r6r And I also started capturing packets in Wireshark even before I opened my web browser, so all the handshakes are captured (you can look at my pcap file)

Here is the debug file:

ssl_association_remove removing TCP 443 - http handle 03454E58
ssl_parse: Can't load UAT string "192.168.0.1","443","http","C:\server.key","": ssl_keys:1: File 'C:server.key' does not exist or access is denied.
Private key imported: KeyID ef:d4:b1:da:f3:75:8d:a1:0f:37:87:7b:49:71:f8:2d:...
ssl_init IPv4 addr '192.168.0.1' (192.168.0.1) port '443' filename 'C:\server.key' password(only for p12 file) ''
ssl_init private key file C:\server.key successfully loaded.
association_add TCP port 443 protocol http handle 03454E58
1717 bytes read
PKCS#12 imported
Bag 0/0: Encrypted
Bag 0/0 decrypted: Certificate
Certificate imported: Aldred Benedict <[email protected]>, KeyID efd4b1daf3758da10f37877b4971f82d1a99bd1f
Bag 1/0: PKCS#8 Encrypted key
Private key imported: KeyID ef:d4:b1:da:f3:75:8d:a1:0f:37:87:7b:49:71:f8:2d:...
ssl_init IPv4 addr '192.168.0.1' (192.168.0.1) port '443' filename 'C:\serverCert.pfx' password(only for p12 file) 'caveman'
ssl_init private key file C:\serverCert.pfx successfully loaded.
association_add TCP port 443 protocol http handle 03454E58

dissect_ssl enter frame #21 (first time)
ssl_session_init: initializing ptr 05072A5C size 588
  conversation = 050726F4, ssl_session = 05072A5C
  record: offset = 0, reported_length_remaining = 163
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 158, ssl state 0x00
association_find: TCP port 1076 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 154 bytes, remaining 163 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.0.1:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #22 (first time)
  conversation = 050726F4, ssl_session = 05072A5C
  record: offset = 0, reported_length_remaining = 1181
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 53, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x88
  record: offset = 58, reported_length_remaining = 1123
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 707, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 63 length 703 bytes, remaining 770 
  record: offset = 770, reported_length_remaining = 411
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 397, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 775 length 393 bytes, remaining 1172 
  record: offset = 1172, reported_length_remaining = 9
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1177 length 0 bytes, remaining 1181

dissect_ssl enter frame #32 (first time)
ssl_session_init: initializing ptr 05073484 size 588
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 163
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 158, ssl state 0x00
association_find: TCP port 1077 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 154 bytes, remaining 163 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.0.1:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #33 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 1181
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 53, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x88
  record: offset = 58, reported_length_remaining = 1123
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 707, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 63 length 703 bytes, remaining 770 
  record: offset = 770, reported_length_remaining = 411
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 397, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 775 length 393 bytes, remaining 1172 
  record: offset = 1172, reported_length_remaining = 9
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1177 length 0 bytes, remaining 1181

dissect_ssl enter frame #34 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 704
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 139, reported_length_remaining = 565
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 145, reported_length_remaining = 559
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 148 offset 150 length 8824632 bytes, remaining 198 
  record: offset = 198, reported_length_remaining = 506
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548
  record: offset = 235, reported_length_remaining = 469
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 464, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #35 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 266
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 202, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 198 bytes, remaining 207 
  record: offset = 207, reported_length_remaining = 59
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 213, reported_length_remaining = 53
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 251 offset 218 length 9643165 bytes, remaining 266

dissect_ssl enter frame #36 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 922
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 304, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548
  record: offset = 309, reported_length_remaining = 613
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 608, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #40 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 634
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548
  record: offset = 37, reported_length_remaining = 597
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 592, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #41 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 122
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548
  record: offset = 37, reported_length_remaining = 85
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 80, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1077 found 00000000
association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #43 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 362
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 304, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548
  record: offset = 309, reported_length_remaining = 53
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 48, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0604A548

dissect_ssl enter frame #47 (first time)
  conversation = 0507311C, ssl_session = 05073484
  record: offset = 0, reported_length_remaining = 37
dissect_ssl3_record: content_type 21
decrypt_ssl3_record: app_data len 32, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

asked 23 Oct '11, 21:35

Caveman's gravatar image

Caveman
26223
accept rate: 50%

edited 23 Oct '11, 21:41

One Answer:
active answersoldest answersnewest answerspopular answers
0

I figured what's wrong. I used a Diffie-Hellman cipher. That's why the traffic cannot be decrypted.

permanent link

answered 30 Oct '11, 05:18

Caveman's gravatar image

Caveman
26223
accept rate: 50%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×319
×165
×62

question asked: 23 Oct '11, 21:35

question was seen: 4,888 times

last updated: 30 Oct '11, 05:18

Related questions

Encrypted POST data not decrypted

Decrypt website traffic SSL/TSL

Decrypt SSL Traffic destined for Squid Proxy Server

DTLS decryption not working on Wireshark 1.6.5, even for sample capture

Can't decrypt ssl in capture from windump

unable to decrypt ssl traffic in wireshark

issues decrypting SSL Traffic

Decrypt WEP packets

Decrypting ESP packet with AES GCM

Strange SSL capture: "Ignored Unknown Record" instead of ServerHello

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A