Wireshark-users: Re: [Wireshark-users] wireshark ssl decryption for dummies
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Sat, 16 Sep 2006 17:24:16 -0400
When you open Wireshark and then select Edit->Preferences, Protocols, SSL--you'll notice and SSL debug file box below the RSA keys list box. Just select a file name their and it will output the debug logs. --Jim ________________________________________ From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of support Sent: Wednesday, September 13, 2006 11:01 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] wireshark ssl decryption for dummies Sorry for my ignorance. Where can I find this log file? Thanks. Kim On 9/12/06, Small, James <JSmall@xxxxxxxxxxxxxx > wrote: When I use 0.99.3 for Windows, I also have trouble with the SSL decodes. When I use the Wiki example and look at the logs, I see: In the logs, I keep seeing "decrypt ssl3 record: no session key" Logs: association_remove_handle removing ptr 02D39200 handle 0282E918 association_remove_handle removing ptr 02D321E8 handle 0282DD88 association_remove_handle removing ptr 02D32450 handle 0283F9F8 association_remove_handle removing ptr 02D34DC0 handle 0296AA40 ssl_init keys string 127.0.0.1,443,ssl,rsasnakeoil2.key ssl_init found host entry 127.0.0.1,443,ssl,rsasnakeoil2.key ssl_init addr 127.0.0.1 port 443 filename rsasnakeoil2.key ssl_get_version: 1.5.0 ssl_init private key file rsasnakeoil2.key successfully loaded association_add port 443 protocol ssl handle 02CF2C60 association_add port 443 protocol http handle 0282E918 association_add port 636 protocol ldap handle 0282DD88 association_add port 993 protocol imap handle 0283F9F8 association_add port 995 protocol pop handle 0296AA40 ssl_session_init: initializing ptr 03FA1978 size 568 association_find: port 38713 found 00000000 packet_from_server: is from server 0 dissect_ssl server 127.0.0.1:443 client random len: 16 padded to 32 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 74 ssl state 11 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 2 offset 5 lenght 70 bytes, remaning 79 dissect_ssl3_hnd_hello_common found random state 13 dissect_ssl3_hnd_srv_hello found cipher 35, state 17 dissect_ssl3_hnd_srv_hello not enough data to generate key (required 37) dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 836 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 11 offset 84 lenght 832 bytes, remaning 920 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 4 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 14 offset 925 lenght 0 bytes, remaning 929 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 132 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 16 offset 5 lenght 128 bytes, remaning 137 dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17 pre master encrypted[128]: 65 51 2d a6 d4 a7 38 df ac 79 1f 0b d9 b2 61 7d 73 88 32 d9 f2 62 3a 8b 11 04 75 ca 42 ff 4e d9 cc b9 fa 86 f3 16 2f 09 73 51 66 aa 29 cd 80 61 0f e8 13 ce 5b 8e 0a 23 f8 91 5e 5f 54 70 80 8e 7b 28 ef b6 69 b2 59 85 74 98 e2 7e d8 cc 76 80 e1 b6 45 4d c7 cd 84 ce b4 52 79 74 cd e6 d7 d1 9c ad ef 63 6c 0f f7 05 e4 4d 1a d3 cb 9c d2 51 b5 61 cb ff 7c ee c7 bc 5e 15 a3 f2 52 0f bb 32 ssl_decrypt_pre_master_secret:RSA_private_decrypt pcry_private_decrypt: stripping 79 bytes, decr_len 127 decypted_unstrip_pre_master[127]: 02 c8 3b d5 a5 24 3c 40 c7 6e 95 b9 46 da b2 79 b1 06 ec 61 2d f7 f5 4a b7 62 b6 33 4b b3 05 ef 90 14 59 72 08 d5 34 88 41 cc a6 96 f4 dd 97 9a dc 3a 6e 92 1f 3a e4 6b 5b fb 3f ee 46 59 62 f3 f3 06 0f d1 1f f4 9d b2 29 08 c6 01 f5 c3 00 03 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 18 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 cb 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 pre master secret[48]: 03 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 18 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 cb 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 ssl_generate_keyring_material:PRF(pre_master_secret) ssl3_prf: sha1_hash(1) ssl3_prf: md5_hash(1) datalen 48 ssl3_prf: sha1_hash(2) ssl3_prf: md5_hash(2) datalen 48 ssl3_prf: sha1_hash(3) ssl3_prf: md5_hash(3) datalen 48 master secret[48]: 1e db 35 95 b8 18 b3 52 58 f3 07 3f e6 af 8a a6 ab c3 a4 ed 66 3a 46 86 b6 e5 49 2a 7c f7 8c c2 ac 22 bb 13 15 0f d8 62 a2 39 23 7b c2 ff 28 fb ssl_generate_keyring_material sess key generation ssl3_prf: sha1_hash(1) ssl3_prf: md5_hash(1) datalen 48 ssl3_prf: sha1_hash(2) ssl3_prf: md5_hash(2) datalen 48 ssl3_prf: sha1_hash(3) ssl3_prf: md5_hash(3) datalen 48 ssl3_prf: sha1_hash(4) ssl3_prf: md5_hash(4) datalen 48 ssl3_prf: sha1_hash(5) ssl3_prf: md5_hash(5) datalen 48 ssl3_prf: sha1_hash(6) ssl3_prf: md5_hash(6) datalen 48 ssl3_prf: sha1_hash(7) ssl3_prf: md5_hash(7) datalen 48 (...) Am I missing something obvious? --Jim James Small ANALYSTS INTERNATIONAL SEQUOIA SERVICES GROUP _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
- Prev by Date: Re: [Wireshark-users] reporting error message
- Next by Date: Re: [Wireshark-users] reporting error message
- Previous by thread: Re: [Wireshark-users] wireshark ssl decryption for dummies
- Next by thread: [Wireshark-users] Intel 3945ABG promiscuous mode
- Index(es):