Wireshark · Ethereal-dev: [Ethereal-dev] SSL decryption and private keys

["Greg Morris" <gmorris@xxxxxxxxxx>]

Well, I finally got the SSL decryption in Win32 to work. The latest changes to the SSL dissector has really helped in getting this resolved. My main issue was the gnutls library.

 

In any case, I am now trying to test the decryption of SSL data. Using the test traces and keys the decryption is perfect. But now I need to put this into real life work. My application server can only export the private key in an encrypted file. (IE. Server.pfx)

 

I then use openssl to convert the file to non-encrypted pem file.

 

openssl pkcs12 -in server.pfx -out server.pem -nodes -passin pass:novell

 

Openssl returns "MAC verified OK"

 

But when I try to use this file I get the following error in the ssl-decrypt.txt file.

 

****************

dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17
pre master encrypted[254]:
e4 8e f9 25 9f 69 0b 61 43 ed cc 8e 1b 9c 7c bc
90 c8 db c7 e4 89 28 15 4c 72 6b cf e0 ef 4d 82
f1 93 26 81 c0 37 4e 1a 89 0e 49 83 af 12 96 f1
a7 67 4e f5 d2 e4 c6 c1 16 2a 67 00 ab eb 2d 1f
8c bf fa 7e 00 cc bd 8d e1 c4 0f b4 7e 04 a6 b6
11 a6 6f 1f 26 ad b8 aa d7 41 40 93 e3 9c d7 94
28 a9 8f 69 fb bc cd b2 91 75 54 94 50 2e f0 a9
6a 8c dc 28 85 af 12 92 a8 df 66 43 8d ea 7b 9a
37 db cb e7 ac 70 68 bb 2c a5 79 e8 fc e5 dd 70
fa b3 07 55 19 92 04 3d 60 e2 8b e5 a2 ee 85 d8
54 67 cb 87 bc 40 d5 fc 98 fd f3 1b 30 7b 34 5e
40 96 27 3b 91 45 f2 43 29 0d 57 75 3f c1 21 c7
38 e5 30 6a 90 a7 83 6b 3e ca 12 b1 b3 da ea dc
aa 10 e9 e9 49 be 9e 7f ff 99 dc df 43 44 4e bb
ce 28 1e 36 b1 c1 11 51 69 44 88 16 e3 b3 5e 6f
54 17 fb 54 0b 7b 44 a0 6f ed 63 84 98 14
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: decrypted data is too long ?!? (256 max 254)
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (0, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret

****************

 

My SSL settings are...

RSA keys list: 147.2.76.78:8009:c:\shared\server.pem

SSL ports list: 8009:8008

 

Am I going about this the correct way or am I way off base... Perhaps a little more information on how to identify the correct key? Validation of private key? etc.... I did look at the certificate in the packet trace passed in with the SSLv3 Certificate packet, and validated that the serial number matches the key that I exported from my directory. Any pointers would be appreciated.

 

Thanks,

Greg