[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] Problem deciphering an openssl stream
From: Marco Simone Zuppone <msz () msz ! eu>
Date: 2010-10-07 11:28:31
Message-ID: AANLkTiki6A_q1fczqOP20r=LmbQC3ysHvFvtVxMnUZ1F () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
sorry I have one question: whay you are using ip 0.0.0.0 and port 0??
You should use the IP of the web server and the port used by the HTTP(S)
stream: normally 443.
Regards,
Marco S. Zuppone
On Thu, Oct 7, 2010 at 12:15 PM, Philippe Fremy <phil@freehackers.org>wrote:
>
> (re-sending, it seems that my first mail did not get through)
>
> Hi,
>
> I tried everything I could think of, but I still can't decipher the SSL
> stream from my server.
>
> Any help would be really appreciated.
>
> I am running WireShark Version 1.0.1 (SVN Rev 25639) on Windows XP.
>
> I've got the private key of the certificate exported in the PEM format,
> not ciphered. It begins with:
>
> -----BEGIN RSA PRIVATE KEY-----
> MIICXwIBAAKBgQC6igE7s9qXN+PXa0mFQKTIrr7lZM/j+QQwd1FBK7Awy2+dTrlY
>
> I've set Wireshark SSL to use it:
> 0.0.0.0,0,http,w:\open-privatekey.pem
>
> and a debug log file:
> d:\philippe\wireshark-ssl.log
>
> I've captured the traffic remotely with:
> sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap
>
> When I load it in wireshark, it's not decoded. Looking at the debug log
> output, I have:
>
> ssl_init keys string:
> 0.0.0.0,0,http,w:\open-privatekey.pem
> ssl_init found host entry 0.0.0.0,0,http,w:\open-privatekey.pem
> ssl_init addr '0.0.0.0' port '0' filename 'w:\open-privatekey.pem'
> password(only for p12 file) '(null)'
> ssl_init private key file w:\open-privatekey.pem successfully loaded
> association_add TCP port 0 protocol http handle 02C154C8
> association_find: TCP port 993 found 03B164C0
> ssl_association_remove removing TCP 993 - imap handle 02B39B88
> association_add TCP port 993 protocol imap handle 02B39B88
> association_find: TCP port 995 found 03B16500
> ssl_association_remove removing TCP 995 - pop handle 037FBA10
> association_add TCP port 995 protocol pop handle 037FBA10
>
> For the first packets concerning my server, I get:
>
> dissect_ssl enter frame #166 (first time)
> ssl_session_init: initializing ptr 04804DA8 size 564
> association_find: TCP port 46705 found 00000000
> packet_from_server: is from server - FALSE
> dissect_ssl server 212.117.xx.yy:443
> dissect_ssl can't find private key for this server! Try it again with
> universal port 0
> dissect_ssl can't find private key for this server (universal port)! Try
> it again with universal address 0.0.0.0
> dissect_ssl can't find any private key!
> conversation = 04804BD0, ssl_session = 04804DA8
> client random len: 16 padded to 32
>
> I don't get why Wireshark can not find the key in this case.
>
> dissect_ssl enter frame #167 (first time)
> conversation = 04804BD0, ssl_session = 04804DA8
> dissect_ssl3_record found version 0x0301 -> state 0x11
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 927 ssl, state 0x11
> association_find: TCP port 443 found 03ADCDD8
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes,
> remaining 932
> dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
> dissect_ssl3_hnd_srv_hello found CIPHER 0x002F -> state 0x17
> dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
> dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 bytes,
> remaining 932
> dissect_ssl3_handshake iteration 0 type 14 offset 928 length 0 bytes,
> remaining 932
>
> And I don't get why there is not enough data to generate the key.
>
> Any help really welcome.
>
> cheers,
>
> Philippe
>
>
>
>
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org
> ?subject=unsubscribe
>
[Attachment #5 (text/html)]
<div>Hello,</div>
<div> </div>
<div>sorry I have one question: whay you are using ip 0.0.0.0 and port 0??</div>
<div>You should use the IP of the web server and the port used by the HTTP(S) stream: \
normally 443.</div> <div> Regards,</div>
<div>Marco S. Zuppone<br><br></div>
<div class="gmail_quote">On Thu, Oct 7, 2010 at 12:15 PM, Philippe Fremy <span \
dir="ltr"><<a href="mailto:phil@freehackers.org">phil@freehackers.org</a>></span> \
wrote:<br> <blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; \
PADDING-LEFT: 1ex" class="gmail_quote"><br>(re-sending, it seems that my first mail \
did not get through)<br><br>Hi,<br><br>I tried everything I could think of, but I \
still can't decipher the SSL<br> stream from my server.<br><br>Any help would be \
really appreciated.<br><br>I am running WireShark Version 1.0.1 (SVN Rev 25639) on \
Windows XP.<br><br>I've got the private key of the certificate exported in the \
PEM format,<br> not ciphered. It begins with:<br><br>-----BEGIN RSA PRIVATE \
KEY-----<br>MIICXwIBAAKBgQC6igE7s9qXN+PXa0mFQKTIrr7lZM/j+QQwd1FBK7Awy2+dTrlY<br><br>I've \
set Wireshark SSL to use it:<br>0.0.0.0,0,http,w:\open-privatekey.pem<br> <br>and a \
debug log file:<br>d:\philippe\wireshark-ssl.log<br><br>I've captured the traffic \
remotely with:<br>sudo tcpdump -i eth1 -s 65535 -w mysite-tcpdump.pcap<br><br>When I \
load it in wireshark, it's not decoded. Looking at the debug log<br> output, I \
have:<br><br>ssl_init keys \
string:<br>0.0.0.0,0,http,w:\open-privatekey.pem<br>ssl_init found host entry \
0.0.0.0,0,http,w:\open-privatekey.pem<br>ssl_init addr '0.0.0.0' port \
'0' filename 'w:\open-privatekey.pem'<br> password(only for p12 file) \
'(null)'<br>ssl_init private key file w:\open-privatekey.pem successfully \
loaded<br>association_add TCP port 0 protocol http handle \
02C154C8<br>association_find: TCP port 993 found 03B164C0<br> ssl_association_remove \
removing TCP 993 - imap handle 02B39B88<br>association_add TCP port 993 protocol imap \
handle 02B39B88<br>association_find: TCP port 995 found \
03B16500<br>ssl_association_remove removing TCP 995 - pop handle 037FBA10<br> \
association_add TCP port 995 protocol pop handle 037FBA10<br><br>For the first \
packets concerning my server, I get:<br><br>dissect_ssl enter frame #166 (first \
time)<br>ssl_session_init: initializing ptr 04804DA8 size 564<br>
association_find: TCP port 46705 found 00000000<br>packet_from_server: is from server \
- FALSE<br>dissect_ssl server 212.117.xx.yy:443<br>dissect_ssl can't find private \
key for this server! Try it again with<br>universal port 0<br> dissect_ssl can't \
find private key for this server (universal port)! Try<br>it again with universal \
address 0.0.0.0<br>dissect_ssl can't find any private key!<br> conversation = \
04804BD0, ssl_session = 04804DA8<br> client random len: 16 padded to 32<br><br>I \
don't get why Wireshark can not find the key in this case.<br><br>dissect_ssl \
enter frame #167 (first time)<br> conversation = 04804BD0, ssl_session = \
04804DA8<br>dissect_ssl3_record found version 0x0301 -> state \
0x11<br>
dissect_ssl3_record: content_type 22<br>decrypt_ssl3_record: app_data len 927 ssl, \
state 0x11<br>association_find: TCP port 443 found 03ADCDD8<br>packet_from_server: is \
from server - TRUE<br>decrypt_ssl3_record: using server decoder<br>
decrypt_ssl3_record: no decoder available<br>dissect_ssl3_handshake iteration 1 type \
2 offset 5 length 77 bytes,<br>remaining 932<br>dissect_ssl3_hnd_hello_common found \
SERVER RANDOM -> state 0x13<br>dissect_ssl3_hnd_srv_hello found CIPHER 0x002F \
-> state 0x17<br> dissect_ssl3_hnd_srv_hello not enough data to generate key \
(required 0x37)<br>dissect_ssl3_handshake iteration 0 type 11 offset 86 length 838 \
bytes,<br>remaining 932<br>dissect_ssl3_handshake iteration 0 type 14 offset 928 \
length 0 bytes,<br> remaining 932<br><br>And I don't get why there is not enough \
data to generate the key.<br><br>Any help really \
welcome.<br><br>cheers,<br><br>Philippe<br><br><br><br><br><br><br><br>___________________________________________________________________________<br>
Sent via: Wireshark-users mailing list <<a \
href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>><br>Archives: \
<a href="http://www.wireshark.org/lists/wireshark-users" \
target="_blank">http://www.wireshark.org/lists/wireshark-users</a><br>
Unsubscribe: <a href="https://wireshark.org/mailman/options/wireshark-users" \
target="_blank">https://wireshark.org/mailman/options/wireshark-users</a><br> \
mailto:<a href="mailto:wireshark-users-request@wireshark.org">wireshark-users-request@wireshark.org</a>?subject=unsubscribe<br>
</blockquote></div><br>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic