Wireshark · Wireshark-users: Re: [Wireshark-users] SSL Decoding fails on Linux, works on Windows 7 64-bit

[Sake Blok <sake@xxxxxxxxxx>]

On 20 aug 2012, at 21:49, Bas Nedermeijer wrote:
> On Monday 20 August 2012 21:21:42 Sake Blok wrote:
>> On 20 aug 2012, at 21:05, Bas Nedermeijer wrote:
>>> The ssl.debug file (partial) of the Linux version (which fails). Some
>>> filenames have been altered. But the KeyID shows it is the same private
>>> key. [...]
>>> ssl_decrypt_pre_master_secret wrong pre_master_secret length (87, expected
>>> 48) dissect_ssl3_handshake can't decrypt pre master secret
>> 
>> Are you sure the configured key matches the certificate in the tracefile?
>> Every time I have encountered the above messages, I was using a key that
>> did not match the certificate
> 
> I am pretty sure, the keyid in the logfiles is the same. And the (captured) 
> data is captured on the windows machine, and loaded on the linux machine. So 
> those are also the same.
> 
> The only thing I had to convert was the pfx file, the linux wireshark did not 
> want to load it. So I had to extract the private key, and remove the password 
> from the key. (I do not give the certificate to wireshark on linux).

Hmm... strange... A while ago someone did have problems with one version of the GnuTLS library, but I'm not sure what the symptoms were in the ssl-debug file. Are you able to upgrade your SSL libraries?
Could you also post the ssl-debug from from the Windows box up till the line "dissect_ssl enter frame #55 (first time)"?


>>> I hope this is enough information. I cannot share the actual captured data
>>> and key. But if needed I think I can reproduce the problem with a
>>> self-signed key (and dummy session).
>> 
>> If you do have a matching certificate and key and you still get this
>> message, please reproduce the issue with files that you can share :-)
> 
> I'll try to find a IIS machine I can use (need to load a self-signed key).

OK


Cheers,
Sake