[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: [Wireshark-users] SSL decryption
From: "SARAVANA PERUMAL RAMAKRISHNAN"
Date: 2007-11-28 10:50:53
Message-ID: 69DFEEDDEB422247BF667DC78583814622787F () FRVELSMBS24 ! ad2 ! ad ! alcatel ! com
[Download RAW message or body]
--===============1360200431==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C831AC.8D69AC0A"
This is a multi-part message in MIME format.
Hello,
I'm trying to collect soap traces using wireshark. The application
is running in a solaris machine and i access the GUI for this
application through a web browser in my windows PC. As soon as i enter
the application URL in the browser, before giving the authentication
(user id/pw), i get the following message in the debug file.
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128,
expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
can you help me whats wrong? I"m using wireshark version .99.6a.
content of full debug file is given below:
ssl_init keys string:
172.21.131.253,2006,http,D:\eventhelix\server.key
ssl_init found host entry
172.21.131.253,2006,http,D:\eventhelix\server.key
ssl_init addr 172.21.131.253 port 2006 filename D:\eventhelix\server.key
ssl_init private key file D:\eventhelix\server.key successfully loaded
association_add TCP port 2006 protocol http handle 026AB698
association_find: TCP port 443 found 02A0F640
ssl_association_remove removing TCP 443 - http handle 026AB698
association_add TCP port 443 protocol http handle 026AB698
association_find: TCP port 636 found 02A0F728
ssl_association_remove removing TCP 636 - ldap handle 0274B788
association_add TCP port 636 protocol ldap handle 0274B788
association_find: TCP port 993 found 02A0FF08
ssl_association_remove removing TCP 993 - imap handle 024451E0
association_add TCP port 993 protocol imap handle 024451E0
association_find: TCP port 995 found 02A10040
ssl_association_remove removing TCP 995 - pop handle 027C9CE0
association_add TCP port 995 protocol pop handle 027C9CE0
dissect_ssl enter frame #458 (first time)
ssl_session_init: initializing ptr 041B3550 size 564
association_find: TCP port 3179 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 172.21.131.253:2006
client random len: 16 padded to 32
dissect_ssl enter frame #458 (already visited)
dissect_ssl enter frame #460 (first time)
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl, state 0x11
association_find: TCP port 2006 found 02A98640
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required
0x37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 747 ssl, state 0x17
association_find: TCP port 2006 found 02A98640
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 84 length 743 bytes,
remaining 831
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl, state 0x17
association_find: TCP port 2006 found 02A98640
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 836 length 0 bytes,
remaining 840
dissect_ssl enter frame #461 (first time)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 132 ssl, state 0x17
association_find: TCP port 3179 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128 bytes,
remaining 137
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x17
pre master encrypted[128]:
a6 ab c3 1e 4d ef db 40 8f b6 0a a9 56 ee 29 4e
d4 23 97 b9 2c 1a ba a9 06 07 73 75 fa a5 7a 51
87 ca f9 d5 2c 81 24 99 93 2d c4 b6 76 be 92 f9
16 e3 81 ee ba 35 15 e5 fc 1a 6e 6c e7 ea 40 ed
4b fd 87 63 d6 cd 2d 8d 65 b5 eb 04 fc c4 4d 14
6f 64 57 b3 8b 9b e4 21 ed 8f 14 1d e6 de 8d a5
19 80 5c c3 a8 82 7b a0 48 33 48 da e7 8b c5 02
10 6b 1c 6e 16 49 4e a0 43 78 65 6d 64 a8 e7 ec
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 0 bytes, decr_len 128
decypted_unstrip_pre_master[128]:
ea 92 97 25 b9 d9 1f 46 81 bc 2a 3b 2f a6 2e 54
cd ed 90 40 07 0a 2f 3b 57 bf 3a 17 53 33 cb 44
76 13 25 8c 4e 0b 51 36 bc 34 b1 f4 1b c5 f3 79
2d 12 7f 5e 4e 03 0b 4b 5b 20 71 b4 b2 a4 45 a1
b5 2f 93 9c 56 9c bc 31 c5 d8 cb 28 74 fc d1 20
d9 d3 fc 22 c2 8c f0 35 c7 74 3a 30 6a 5e 52 72
b3 14 f8 4a 02 ce d8 d4 a0 f0 6d 8a f3 9c 7e 46
f0 f1 cd a4 b0 6b a4 60 6a 37 47 f5 89 d3 5a b8
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128,
expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 3179 found 00000000
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
Thank you for your support,
kind regards,
saravana perumal.
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN
class=718014510-28112007>Hello,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>
I'm trying to collect soap traces using wireshark. The application is running in
a solaris machine and i access the GUI for this application through a web
browser in my windows PC. As soon as i enter the application URL in the browser,
before giving the authentication (user id/pw), i get the following message in
the debug file. </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#ff0000 size=2><SPAN
class=718014510-28112007><STRONG>ssl_decrypt_pre_master_secret wrong
pre_master_secret lenght (128, expected 48)<BR>dissect_ssl3_handshake can't
decrypt pre master secret</STRONG></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=718014510-28112007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>can you help me
whats wrong? I"m using wireshark version .99.6a.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>content of full
debug file is given below:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=718014510-28112007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>ssl_init keys
string:<BR>172.21.131.253,2006,http,D:\eventhelix\server.key<BR>ssl_init found
host entry 172.21.131.253,2006,http,D:\eventhelix\server.key<BR>ssl_init addr
172.21.131.253 port 2006 filename D:\eventhelix\server.key<BR>ssl_init private
key file D:\eventhelix\server.key successfully loaded<BR>association_add TCP
port 2006 protocol http handle 026AB698<BR>association_find: TCP port 443 found
02A0F640<BR>ssl_association_remove removing TCP 443 - http handle
026AB698<BR>association_add TCP port 443 protocol http handle
026AB698<BR>association_find: TCP port 636 found
02A0F728<BR>ssl_association_remove removing TCP 636 - ldap handle
0274B788<BR>association_add TCP port 636 protocol ldap handle
0274B788<BR>association_find: TCP port 993 found
02A0FF08<BR>ssl_association_remove removing TCP 993 - imap handle
024451E0<BR>association_add TCP port 993 protocol imap handle
024451E0<BR>association_find: TCP port 995 found
02A10040<BR>ssl_association_remove removing TCP 995 - pop handle
027C9CE0<BR>association_add TCP port 995 protocol pop handle
027C9CE0</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>dissect_ssl enter
frame #458 (first time)<BR>ssl_session_init: initializing ptr 041B3550 size
564<BR>association_find: TCP port 3179 found 00000000<BR>packet_from_server: is
from server - FALSE<BR>dissect_ssl server 172.21.131.253:2006<BR>client random
len: 16 padded to 32</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>dissect_ssl enter
frame #458 (already visited)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>dissect_ssl enter
frame #460 (first time)<BR>dissect_ssl3_record found version 0x0300 -> state
0x11<BR>dissect_ssl3_record: content_type 22<BR>decrypt_ssl3_record: app_data
len 74 ssl, state 0x11<BR>association_find: TCP port 2006 found
02A98640<BR>packet_from_server: is from server - TRUE<BR>decrypt_ssl3_record:
using server decoder<BR>decrypt_ssl3_record: no decoder
available<BR>dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 79 <BR>dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state
0x13<BR>dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state
0x17<BR>dissect_ssl3_hnd_srv_hello not enough data to generate key (required
0x37)<BR>dissect_ssl3_record: content_type 22<BR>decrypt_ssl3_record: app_data
len 747 ssl, state 0x17<BR>association_find: TCP port 2006 found
02A98640<BR>packet_from_server: is from server - TRUE<BR>decrypt_ssl3_record:
using server decoder<BR>decrypt_ssl3_record: no decoder
available<BR>dissect_ssl3_handshake iteration 1 type 11 offset 84 length 743
bytes, remaining 831 <BR>dissect_ssl3_record: content_type
22<BR>decrypt_ssl3_record: app_data len 4 ssl, state 0x17<BR>association_find:
TCP port 2006 found 02A98640<BR>packet_from_server: is from server -
TRUE<BR>decrypt_ssl3_record: using server decoder<BR>decrypt_ssl3_record: no
decoder available<BR>dissect_ssl3_handshake iteration 1 type 14 offset 836
length 0 bytes, remaining 840 </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>dissect_ssl enter
frame #461 (first time)<BR>dissect_ssl3_record: content_type
22<BR>decrypt_ssl3_record: app_data len 132 ssl, state 0x17<BR>association_find:
TCP port 3179 found 00000000<BR>packet_from_server: is from server -
FALSE<BR>decrypt_ssl3_record: using client decoder<BR>decrypt_ssl3_record: no
decoder available<BR>dissect_ssl3_handshake iteration 1 type 16 offset 5 length
128 bytes, remaining 137 <BR>dissect_ssl3_handshake found
SSL_HND_CLIENT_KEY_EXCHG state 0x17<BR>pre master encrypted[128]:<BR>a6 ab c3 1e
4d ef db 40 8f b6 0a a9 56 ee 29 4e <BR>d4 23 97 b9 2c 1a ba a9 06 07 73 75 fa
a5 7a 51 <BR>87 ca f9 d5 2c 81 24 99 93 2d c4 b6 76 be 92 f9 <BR>16 e3 81 ee ba
35 15 e5 fc 1a 6e 6c e7 ea 40 ed <BR>4b fd 87 63 d6 cd 2d 8d 65 b5 eb 04 fc c4
4d 14 <BR>6f 64 57 b3 8b 9b e4 21 ed 8f 14 1d e6 de 8d a5 <BR>19 80 5c c3 a8 82
7b a0 48 33 48 da e7 8b c5 02 <BR>10 6b 1c 6e 16 49 4e a0 43 78 65 6d 64 a8 e7
ec
<BR>ssl_decrypt_pre_master_secret:RSA_private_decrypt<BR>pcry_private_decrypt:
stripping 0 bytes, decr_len 128<BR>decypted_unstrip_pre_master[128]:<BR>ea 92 97
25 b9 d9 1f 46 81 bc 2a 3b 2f a6 2e 54 <BR>cd ed 90 40 07 0a 2f 3b 57 bf 3a 17
53 33 cb 44 <BR>76 13 25 8c 4e 0b 51 36 bc 34 b1 f4 1b c5 f3 79 <BR>2d 12 7f 5e
4e 03 0b 4b 5b 20 71 b4 b2 a4 45 a1 <BR>b5 2f 93 9c 56 9c bc 31 c5 d8 cb 28 74
fc d1 20 <BR>d9 d3 fc 22 c2 8c f0 35 c7 74 3a 30 6a 5e 52 72 <BR>b3 14 f8 4a 02
ce d8 d4 a0 f0 6d 8a f3 9c 7e 46 <BR>f0 f1 cd a4 b0 6b a4 60 6a 37 47 f5 89 d3
5a b8 <BR><STRONG><FONT color=#ff0000>ssl_decrypt_pre_master_secret wrong
pre_master_secret lenght (128, expected 48)<BR>dissect_ssl3_handshake can't
decrypt pre master secret</FONT></STRONG><BR>dissect_ssl3_record: content_type
20<BR>dissect_ssl3_change_cipher_spec<BR>association_find: TCP port 3179 found
00000000<BR>packet_from_server: is from server - FALSE<BR>ssl_change_cipher
CLIENT</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=718014510-28112007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=718014510-28112007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>Thank you for your
support,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>kind
regards,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=718014510-28112007>saravana
perumal.</SPAN></FONT></DIV></BODY></HTML>
[Attachment #4 (unknown)]
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic