Wireshark-users: Re: [Wireshark-users] need help with decrypting ssl messages
From: Al <shaselai@xxxxxxxxx>
Date: Thu, 14 Oct 2010 13:29:54 -0700 (PDT)
Doug, 1.Yes. I started up wireshark listening only on the server ip and it records everything with "client hello" 2. yes but it is blank. Actually the protocol is only TCP, SSLv2, TLSV1 i also found this message: decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material It seems the server decoder isn't available - how do i make it available or select some other decoder? Also another question... When I am listening on the ip I as client am sending files like 2-3megs. I browsed through the wireshark frames but i dont really see anything that's that big... i am curious as to whether the data's size isn't being shown or the file was never transmitted? thanks --- On Thu, 10/14/10, Burks, Doug <doug.burks@xxxxxxxxxx> wrote: > From: Burks, Doug <doug.burks@xxxxxxxxxx> > Subject: Re: [Wireshark-users] need help with decrypting ssl messages > To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> > Date: Thursday, October 14, 2010, 3:47 PM > Your preferences config looks correct > (it should be "http" NOT "https"). > > > Two questions: > 1. Does your capture contain the ENTIRE conversation > (including the > Client Hello)? > 2. Have you tried "Follow SSL Stream" instead of > "Follow TCP Stream"? > > Regards, > -- > Doug Burks, GSE, CISSP > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] > On Behalf Of Al > Sent: Thursday, October 14, 2010 3:15 PM > To: wireshark-users@xxxxxxxxxxxxx > Subject: [Wireshark-users] need help with decrypting ssl > messages > > > I followed a guide where I extracted > my private key and insert it into the SSL from > wireshark preferences > like: > > 123.456.55.678,443,http,C:\testkey.pem > > I tried both http and https - i thought since i am > talking to server > in https it might be https? Anyway, both failed to > decrypt (still see > jargon raw data when i view TCP stream. > The debug log gives me: > > > ssl_association_remove removing TCP 443 - http handle > 03164D48 > ssl_init keys string: > 123.456.55.678,443,http,C:\testkey.pem > ssl_init found host entry > 123.456.55.678,443,http,C:\testkey.pem > ssl_init addr '123.456.55.678' port '443' filename > 'C:\testkey.pem' > password(only for p12 file) '(null)' > Private key imported: KeyID > 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:... > ssl_init private key file C:\testkey.pem > successfully loaded > association_add TCP port 443 protocol http handle 03164D48 > > dissect_ssl enter frame #4 (first time) > ssl_session_init: initializing ptr 04E41BAC size 584 > conversation = 04E41868, ssl_session = > 04E41BAC > record: offset = 0, > reported_length_remaining = 100 > packet_from_server: is from server - FALSE > ssl_find_private_key server > 123.456.55.678:443 client random len: 32 padded to > 32 > dissect_ssl2_hnd_client_hello found CLIENT RANDOM > -> state 0x01 > ........ > > > So it seems the key has been found and loaded BUT when > i check the > STOPPED TCP stream it is still all jargon... what am > i doing wrong > here? thanks > > I am pretty sure i am on the right server since the key is > loaded and i > checked netstat and found the ip of the webservice... but > still from > wire shark the client basically does handshake and cert > check with > server and then afterwards server just sends "fin" and ends > it.... > really not sure whats going on here... > > > > > > > > ________________________________________________________________________ > ___ > Sent via: Wireshark-users mailing list > <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >
- Follow-Ups:
- Re: [Wireshark-users] need help with decrypting ssl messages
- From: Stephen Fisher
- Re: [Wireshark-users] need help with decrypting ssl messages
- References:
- Re: [Wireshark-users] need help with decrypting ssl messages
- From: Burks, Doug
- Re: [Wireshark-users] need help with decrypting ssl messages
- Prev by Date: Re: [Wireshark-users] need help with decrypting ssl messages
- Next by Date: Re: [Wireshark-users] tshark filter
- Previous by thread: Re: [Wireshark-users] need help with decrypting ssl messages
- Next by thread: Re: [Wireshark-users] need help with decrypting ssl messages
- Index(es):