Ethereal-dev: Re: [Ethereal-dev] SSL decryption and private keys

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Paolo Abeni <paolo.abeni@xxxxxxxx>
Date: Wed, 08 Feb 2006 23:27:43 +0100
Hi,

Re-post this mail apprently the it get lost...

On Wed, 2006-02-08 at 16:11 +0100, Greg Morris wrote:
> Looks as though the issue is my certificates are 2048 bits. The SSL
> decryption uses a max size of 256. Is this by design?

There isn't any max size for key length into the ssl decryption code. 
The buffer for the decrypted key is dynamically allocated using the
information provided by the dissector. 

I tried to replicate the issue using an rsa key of 2048 bits and an
apache web server, but the decryption worked well.

Perhaps you are using the wrong key file ?!? you can check the private
key/certificate pair with:

cat << ENDL > test
test
ENDL
openssl rsautl -encrypt -in test -certin -inkey <certfile> -out
test.ciph
openssl rsautl -decrypt -in test.ciph -inkey <keyfile> -out test.decr
diff test test.decr

If your application server use an old version of openssl (or the private
key was generated with an old version of openssl) perhaps this can apply
(from the openssl pkcs12 man page):

Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key genera-
tion routines. Under rare circumstances this could produce a PKCS#12
file encrypted with an invalid key. As a result some PKCS#12 files
which triggered this bug from other implementations (MSIE or Netscape)
could not be decrypted by OpenSSL and similarly OpenSSL could produce
PKCS#12 files which could not be decrypted by other implementations.

Anyway can you please post all the debug output produce by ethereal for
further investigation ?!?

ciao,

Paolo

 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 ADSL: le migliori offerte per abbonamenti flat online!
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4587&d=8-2