Wireshark · Wireshark-users: Re: [Wireshark-users] Decoding SSL

Wireshark-users: Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?

From: ixxus nexxus <ixxusnexxus@xxxxxxxxx>

Date: Tue, 19 Aug 2008 17:45:10 -0700 (PDT)

I can restrict the server to certain suites but other than trial and error, is there a way I can tell which are supported in my 1.0.2 installation? I assume the code you pointed is the current development version. Can I see the 1.0.2 version?

Thanks for your help.

--- On Mon, 8/18/08, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Subject: Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?
To: ixxusnexxus@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Monday, August 18, 2008, 10:39 PM

Hi,

That one was only recently added to the development version of wireshark.

    {51,KEX_DH,
 SIG_RSA,ENC_AES,16,128,128,DIG_SHA,20,0, SSL_CIPHER_MODE_CBC},

You can find an overview of what Wireshark knows in 
http://anonsvn.wireshark.org/wireshark/trunk-1.0/epan/dissectors/packet-ssl-utils.c

Thanx,
Jaap


ixxus nexxus wrote:
> I am trying to decode some ssl traffic. I have set the private key in 
> wireshark but I am still not able to decrypt and view the data. I see 
> this error in the log:
> 
> dissect_ssl3_hnd_srv_hello can't find cipher suite 0x33
> 
> If this one is not supported, where can I get a list of supported 
> suites? I am using 1.0.2 on windows.
> 
> Thank you for your help.
> 
> 
> 
> Here are the details of the log:
> 
> ssl_init keys string:
> xxx.xxx.xxx.xxx,http,P:\temp\key.pem
> ssl_init found host entry xxx.xxx.xxx.xxx,443,http,P:\temp\key.pem
> ssl_init addr 'xxx.xxx.xxx.xxx' port
 '443' filename
'P:\temp\key.pem' 
> password(only for p12 file) '(null)'
> ssl_init private key file P:\temp\key.pem successfully loaded
> association_add TCP port 443 protocol http handle 02F5E458
> association_find: TCP port 993 found 03D6A070
> ssl_association_remove removing TCP 993 - imap handle 02E58B00
> association_add TCP port 993 protocol imap handle 02E58B00
> association_find: TCP port 995 found 03D6A0B0
> ssl_association_remove removing TCP 995 - pop handle 03AB16F8
> association_add TCP port 995 protocol pop handle 03AB16F8
> 
> dissect_ssl enter frame #6 (first time)
> ssl_session_init: initializing ptr 050B1E70 size 564
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> dissect_ssl server xxx.xxx.xxx.xxx:443
>   conversation = 050B1C98, ssl_session = 050B1E70
> dissect_ssl3_record:
 content_type 22
> decrypt_ssl3_record: app_data len 138 ssl, state 0x00
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 1 offset 5 length 134 bytes, 
> remaining 143
> dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
> 
> dissect_ssl enter frame #8 (first time)
>   conversation = 050B1C98, ssl_session = 050B1E70
> dissect_ssl3_record found version 0x0301 -> state 0x11
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 1113 ssl, state 0x11
> association_find: TCP port 443 found 03F5B3D0
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
>
 dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, 
> remaining 1118
> dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
> dissect_ssl3_hnd_srv_hello can't find cipher suite 0x33
> dissect_ssl3_handshake iteration 0 type 11 offset 79 length 603 bytes, 
> remaining 1118
> dissect_ssl3_handshake iteration 0 type 12 offset 686 length 424 bytes, 
> remaining 1118
> dissect_ssl3_handshake iteration 0 type 14 offset 1114 length 0 bytes, 
> remaining 1118
> 
> dissect_ssl enter frame #10 (first time)
>   conversation = 050B1C98, ssl_session = 050B1E70
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 102 ssl, state 0x13
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder
 available
> dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, 
> remaining 107
> dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x13
> dissect_ssl3_handshake not enough data to generate key (required 0x17)
> dissect_ssl3_record: content_type 20
> dissect_ssl3_change_cipher_spec
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> ssl_change_cipher CLIENT
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 48 ssl, state 0x13
> association_find: TCP port 3910 found 00000000
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 94 offset 118 length 7042118 
> bytes, remaining 166
> 
> 
> 
>
 ------------------------------------------------------------------------
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users

Follow-Ups:
- Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?
  - From: Ray Van Dolson

References:
- Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?
  - From: Jaap Keuter

Prev by Date: Re: [Wireshark-users] wireshark extract specific field
Next by Date: Re: [Wireshark-users] Regarding server's acknowledgement to httpRequest sent
Previous by thread: Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?
Next by thread: Re: [Wireshark-users] Decoding SSL - what cipher suites are supported?
Index(es):
- Date
- Thread