Wireshark mailing list archives
Re: Problem deciphering an openssl stream
From: Philippe Fremy <phil () freehackers org>
Date: Thu, 07 Oct 2010 14:49:59 +0200
Hi Marco, Marco Simone Zuppone wrote:
Hello, sorry I have one question: whay you are using ip 0.0.0.0 and port 0??
I am doing that because that's what the log file recommends: dissect_ssl can't find private key for this server! Try it again with universal port 0 dissect_ssl can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 It's probably not the problem, but at least it rules out the possibility that the problem is about matching the private key with the right server IP.
You should use the IP of the web server and the port used by the HTTP(S) stream: normally 443.
I did that as well, but it does not improve my situation. cheers, Philippe
Regards, Marco S. Zuppone On Thu, Oct 7, 2010 at 12:15 PM, Philippe Fremy <phil () freehackers org <mailto:phil () freehackers org>> wrote: (re-sending, it seems that my first mail did not get through) Hi, I tried everything I could think of, but I still can't decipher the SSL stream from my server. Any help would be really appreciated. I am running WireShark Version 1.0.1 (SVN Rev 25639) on Windows XP. I've got the private key of the certificate exported in the PEM format, not ciphered. It begins with: -----BEGIN RSA PRIVATE KEY----- MIICXwIBAAKBgQC6igE7s9qXN+PXa0mFQKTIrr7lZM/j+QQwd1FBK7Awy2+dTrlY I've set Wireshark SSL to use it: 0.0.0.0,0,http,w:\open-privatekey.pem and a debug log file: d:\philippe\wireshark-ssl.log I've captured the traffic remotely with: sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap When I load it in wireshark, it's not decoded. Looking at the debug log output, I have: ssl_init keys string: 0.0.0.0,0,http,w:\open-privatekey.pem ssl_init found host entry 0.0.0.0,0,http,w:\open-privatekey.pem ssl_init addr '0.0.0.0' port '0' filename 'w:\open-privatekey.pem' password(only for p12 file) '(null)' ssl_init private key file w:\open-privatekey.pem successfully loaded association_add TCP port 0 protocol http handle 02C154C8 association_find: TCP port 993 found 03B164C0 ssl_association_remove removing TCP 993 - imap handle 02B39B88 association_add TCP port 993 protocol imap handle 02B39B88 association_find: TCP port 995 found 03B16500 ssl_association_remove removing TCP 995 - pop handle 037FBA10 association_add TCP port 995 protocol pop handle 037FBA10 For the first packets concerning my server, I get: dissect_ssl enter frame #166 (first time) ssl_session_init: initializing ptr 04804DA8 size 564 association_find: TCP port 46705 found 00000000 packet_from_server: is from server - FALSE dissect_ssl server 212.117.xx.yy:443 dissect_ssl can't find private key for this server! Try it again with universal port 0 dissect_ssl can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 dissect_ssl can't find any private key! conversation = 04804BD0, ssl_session = 04804DA8 client random len: 16 padded to 32 I don't get why Wireshark can not find the key in this case. dissect_ssl enter frame #167 (first time) conversation = 04804BD0, ssl_session = 04804DA8 dissect_ssl3_record found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 927 ssl, state 0x11 association_find: TCP port 443 found 03ADCDD8 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 932 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37) dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 bytes, remaining 932 dissect_ssl3_handshake iteration 0 type 14 offset 928 length 0 bytes, remaining 932 And I don't get why there is not enough data to generate the key. Any help really welcome. cheers, Philippe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org <mailto:wireshark-users () wireshark org>> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org <mailto:wireshark-users-request () wireshark org>?subject=unsubscribe ------------------------------------------------------------------------ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Problem deciphering an openssl stream Philippe Fremy (Oct 07)
- Re: Problem deciphering an openssl stream Marco Simone Zuppone (Oct 07)
- Re: Problem deciphering an openssl stream Philippe Fremy (Oct 07)
- Re: Problem deciphering an openssl stream kolos_ws (Oct 11)
- Re: Problem deciphering an openssl stream Philippe Fremy (Oct 11)
- Re: Problem deciphering an openssl stream kolos_ws (Oct 11)
- Re: Problem deciphering an openssl stream Philippe Fremy (Oct 11)
- Re: Problem deciphering an openssl stream kolos_ws (Oct 11)
- Re: Problem deciphering an openssl stream Philippe Fremy (Oct 14)
- Re: Problem deciphering an openssl stream Philippe Fremy (Oct 11)
- Re: Problem deciphering an openssl stream Marco Simone Zuppone (Oct 07)