This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ssl decryption

0
1

Just upgraded to 1.7.0 from 1.6.4 In neither release was ssl decryption working (at least I couldn't get it to work) Have read the zillions of available googles on the topic. My question is simple - Has anyone actually got this to work with this version ?

Either way I'll likely give up - but I just wanted to know if someone had actually, with their very own fingers, gotten this to work with 1.7.0 1.6.4.

Thanks

asked 01 Dec '11, 08:29

colayack's gravatar image

colayack
1121
accept rate: 0%

2 Answers:

4

Yes, even today...

There are three things you need to make sure of:

  • Provide the proper private key (check the ssl-debug log to see if it actually loaded OK)
  • Make sure the whole SSL handshake for this SSL session is in the tracefile (make sure you see the "Certificate" message from the server)
  • Check whether you're not using a DiffieHellman cipher (the cipher in the ServerHello message should not contain DHE or DH)

If that does not get you started, have a look at my Sharkfest presentation on troubleshooting SSL

answered 01 Dec '11, 09:34

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi, Thanks for the response. I believe all of the items above check out ok. I'll add some 'exciting' snippets from the log file. If you'd like more info - that would be fine. If you'd care not to look any further - I understand that, too. This would be a lifesaver if it worked. Thanks, Steve

Items that might be interesting: looks like things start out fine:

ssl_association_remove removing TCP 443 - http handle 03818A60
Private key imported: KeyID 60:66:fc:9d:79:d8:4b:0c:23:82:cb:f1:fa:11:ac:06:...
ssl_init IPv4 addr '10.5.4.224' (10.5.4.224) port '443' filename 'Q:\yackes\certs\devpc\ecomtls.pk' password(only for p12 file) ''
ssl_init private key file Q:\yackes\certs\devpc\ecomtls.pk successfully loaded.
association_add TCP port 443 protocol http handle 03818A60
Private key imported: KeyID 5b:2c:ed:79:fb:c4:ed:33:ef:74:69:0b:d5:36:2a:23:...
ssl_init IPv4 addr '10.5.1.189' (10.5.1.189) port '443' filename 'Q:\yackes\certs\leoa\navtls.pk' password(only for p12 file) ''
ssl_init private key file Q:\yackes\certs\leoa\navtls.pk successfully loaded.
association_add TCP port 443 protocol http handle 03818A60

this is the only hint of an error

ssl_decrypt_pre_master_secret wrong pre_master_secret length (123, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 279, reported_length_remaining = 59

lots of these

decrypt_ssl3_record: no decoder available
(01 Dec '11, 13:26) colayack

Are you sure the key is the one matching the certificate? I have seen the "wrong pre_master_secret length" errors when I was providing the wrong key.

You should point Wireshark to the (PEM formatted) private key which resides on the server 10.5.4.224.

(01 Dec '11, 15:23) SYN-bit ♦♦

Hi,

After initial failings I made the keys/certs myself. Following is the pattern.

Problem is I am ignorant enough to be dangerous. I wouldn't know a PEM from ... well whatever

Does the below qualify as a PEM ?

Thanks (and I'll check on your most recent suggestions right now)

2330 openssl genrsa -des3 -out server_224.key 2048 2331 openssl rsa -in server_224.key -out server_224.key.insecure 2332 openssl req -new -key server_224.key.insecure -out server_224.csr 2334 openssl x509 -req -days 365 -in server_224.csr -signkey server_224.key.insecure -out server_224.crt

(02 Dec '11, 05:55) colayack

2330 openssl genrsa -des3 -out server_224.key 2048

2331 openssl rsa -in server_224.key -out server_224.key.insecure

2332 openssl req -new -key server_224.key.insecure -out server_224.csr

2334 openssl x509 -req -days 365 -in server_224.csr -signkey server_224.key.insecure -out server_224.crt

(02 Dec '11, 05:56) colayack

@colayack I converted your "answers" to comments, as they were responses to SYNbit's answer.

(02 Dec '11, 10:59) grahamb ♦

Thanks for all the help. I'm sure it works great. I'll just 'move on'

(05 Dec '11, 08:25) colayack
showing 5 of 6 show 1 more comments

0

Have a look at the capture I posted at CloudShark, you can use the following key to decrypt the traffic:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDrHdbb+yGE6m6EZ03bXURpZCjch2H6g97ZAkJVGrjLZFfettBA
EYa8vYYxWsf8KBpEZeksSCsDA9MnU2H6QDjzqdOnaSWfeXMAr4OsCOpauStpreq7
q1hk8iOqy+f4KijRrhWplh1QW1A8gtSIg137pyUhW+WsfwxKwmzjGIC1SwIDAQAB
AoGBAMneA9U6KIxjb+JUg/99c7h9W6wEvTYHNTXjf6psWA+hpuQ82E65/ZJdszL6
+8vfbrYdPfdcOznKdehE6lGgBIRjhbOOeOxTxfbt1OWcVeqW17t52QiZbaK/dt/j
Fn8RyixrU4NSSPWG7NCyLJwYU2lgstUbhHg2Hz9Mz59GgS2xAkEA+fXI/b65qF29
/OAz8iHrmGU/qmwrP2+I+gNB1ji2bIPfXLg/V3Q70golpeRhcORB1SbMYP8+PCU5
5NsC1iRGuQJBAPDMO/w8Rzl4waw885c3DFlIar81H3VCBoswUqPBDdQvtSatMq1c
BA27q5Re+XewBGx4AbP84lPPsDD7aX8eWiMCQQCEUfVdRgq4My+w3usAwa4bFXYX
fH2EbkG/v9upUIpZdZHXXn3BiPll3hNB910RyvOCp7BHpLbIVhiIqtucisWZAkAs
b6QKMh16r5wd6smQ+CmhOEnqqyT5AIwwl2RIr9GbfIpTbtbRQw/EcQOCx9wFiEfo
tGSsEFi72rHK+DpJqRI9AkEA72gdyXRgPfGOS3rfQ3DBcImBQvDSCBa4cuU1XJ1/
MO93a8v9Vj87/yDm4xsBDsoz2PyBepawHVlIvZ6jDD0aXw==
-----END RSA PRIVATE KEY-----

Please note that there are two bugs in Wireshark since 1.6.0 which seem to effect decryption:

  • You need to restart wireshark after adding a key to the SSL preferences (bug 6032)
  • You need to configure a SSL debug file (bug 6033)

answered 05 Dec '11, 12:00

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%