Hi Vijay, I’m not using gnutls or libgcrypt – I’m just using the Win32
installer. Here is a snippet from the log file (with the actual HTTP payload
removed). Brian ssl_init keys string 10.231.4.61,443,http,d:\GR\temp\grhealth.pem ssl_init found host entry 10.231.4.61,443,http,d:\GR\temp\grhealth.pem ssl_init addr 10.231.4.61 port 443 filename
d:\GR\temp\grhealth.pem ssl_get_version: 1.5.1 ssl_init private key file d:\GR\temp\grhealth.pem successfully
loaded association_add TCP port 443 protocol http handle 05CBDE40 association_find: TCP port 443 found 0750D888 ssl_association_remove removing TCP 443 - http handle 05CBDE40 association_add TCP port 443 protocol http handle 05CBDE40 association_find: TCP port 636 found 040C75F0 ssl_association_remove removing TCP 636 - ldap handle 05CBCC48 association_add TCP port 636 protocol ldap handle 05CBCC48 association_find: TCP port 993 found 040BFF08 ssl_association_remove removing TCP 993 - imap handle 05CCE588 association_add TCP port 993 protocol imap handle 05CCE588 association_find: TCP port 995 found 040BF5D8 ssl_association_remove removing TCP 995 - pop handle 05E318D0 association_add TCP port 995 protocol pop handle 05E318D0 dissect_ssl enter frame #4 ssl_session_init: initializing ptr 07A71A18 size 568 association_find: TCP port 2796 found 00000000 packet_from_server: is from server 0 dissect_ssl server 10.231.4.61:443 client random len: 16 padded to 32 dissect_ssl enter frame #6 dissect_ssl enter frame #7 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 2231 ssl state 11 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70
bytes, remaining 2236 dissect_ssl3_hnd_hello_common found random state 13 dissect_ssl3_hnd_srv_hello found cipher 4, state 17 dissect_ssl3_hnd_srv_hello not enough data to generate key
(required 37) dissect_ssl3_handshake iteration 0 type 11 offset 79 length 2149
bytes, remaining 2236 dissect_ssl3_handshake iteration 0 type 14 offset 2232 length 0
bytes, remaining 2236 dissect_ssl enter frame #10 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 132 ssl state 17 decrypt_ssl3_record: no session key dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128
bytes, remaining 137 dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17 pre master encrypted[128]: 4f b3 cd 50 86 26 45 b4 7d 02 2e e9 a8 64 eb 3d 0a 7d e7 3e 12 db 5f 46 75 61 10 e4 26 ce 91 b2 8a 49 59 b3 93 b1 4b 43 1b f4 1a 41 c2 8e 71 7b bf a4 80 96 fb 28 00 95 4d cf bf 59 e7 45 bb b8 04 38 5b 3f 81 6c c1 c1 0e f7 a9 9d a4 df 22 bb a1 81 98 e8 90 66 52 32 f3 24 4d 6a 8b 55 06 9f c6 88 6e 2f 9c 43 6c b1 32 86 1f fe 8c 33 c1 d7 0a c1 24 7d 1e 2d 7e f6 8c 5e d1 26 ce c0 47 a5 ssl_decrypt_pre_master_secret:RSA_private_decrypt pcry_private_decrypt: stripping 79 bytes, decr_len 127 decypted_unstrip_pre_master[127]: 02 b8 82 dd 86 82 01 6c df 8a ed 31 eb c9 4e d0 36 aa c2 b4 e1 74 4f 41 a1 a9 24 f8 1e ce d6 e6 e6 2d 34 94 7d d0 e9 1a e1 15 d8 d0 93 9b 3c a7 e0 eb a7 69 27 c3 d1 07 f1 96 06 e3 e1 13 7c 5f 88 26 42 49 a5 90 83 1f 8d a8 08 c8 63 8c 00 03 00 a3 8e 98 49 a5 4b 7b 7a 25 3a aa 64 61 42 38 d8 96 58 d2 df fc 11 82 61 69 65 27 9b 66 9d ef d8 02 be 08 e2 56 af 98 ee f8 bc 37 64 db 6c pre master secret[48]: 03 00 a3 8e 98 49 a5 4b 7b 7a 25 3a aa 64 61 42 38 d8 96 58 d2 df fc 11 82 61 69 65 27 9b 66 9d ef d8 02 be 08 e2 56 af 98 ee f8 bc 37 64 db 6c ssl_generate_keyring_material:PRF(pre_master_secret) ssl3_prf: sha1_hash(1) ssl3_prf: md5_hash(1) datalen 48 ssl3_prf: sha1_hash(2) ssl3_prf: md5_hash(2) datalen 48 ssl3_prf: sha1_hash(3) ssl3_prf: md5_hash(3) datalen 48 master secret[48]: 99 73 10 dc 57 ca 60 03 99 89 7c 94 43 bb e0 a6 8a 46 94 f8 a4 5c 33 ee e1 f8 8e 60 33 06 12 0f bf 60 74 78 7a d5 9e 15 47 89 b2 26 de 91 7d fd ssl_generate_keyring_material sess key generation ssl3_prf: sha1_hash(1) ssl3_prf: md5_hash(1) datalen 48 ssl3_prf: sha1_hash(2) ssl3_prf: md5_hash(2) datalen 48 ssl3_prf: sha1_hash(3) ssl3_prf: md5_hash(3) datalen 48 ssl3_prf: sha1_hash(4) ssl3_prf: md5_hash(4) datalen 48 key expansion[64]: 36 ea ff a5 5f fd 34 e8 84 f5 05 13 b5 4f 09 23 a8 f2 d9 e5 79 84 00 89 b3 1a a6 e2 72 2d 6c 0d d2 91 30 a0 94 90 20 81 72 65 60 c3 79 20 ff dc 3c d8 eb 05 2b 87 71 1c 9b 58 c0 a7 7d 6a 83 3f Client MAC key[16]: 36 ea ff a5 5f fd 34 e8 84 f5 05 13 b5 4f 09 23 Server MAC key[16]: a8 f2 d9 e5 79 84 00 89 b3 1a a6 e2 72 2d 6c 0d Client Write key[16]: d2 91 30 a0 94 90 20 81 72 65 60 c3 79 20 ff dc Server Write key[16]: 3c d8 eb 05 2b 87 71 1c 9b 58 c0 a7 7d 6a 83 3f Client Write IV[8]: 30 00 00 00 2c cc 12 00 Server Write IV[8]: 48 1d a7 07 30 00 00 00 ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material client seq 0 server seq 0 ssl_save_session stored session id[32]: ad 22 00 00 60 a9 d7 45 4d 4e 9d 01 41 f5 1d 80 82 87 24 0c 75 18 ba db 9d ab 86 e9 02 5a 05 22 ssl_save_session stored master secret[48]: 99 73 10 dc 57 ca 60 03 99 89 7c 94 43 bb e0 a6 8a 46 94 f8 a4 5c 33 ee e1 f8 8e 60 33 06 12 0f bf 60 74 78 7a d5 9e 15 47 89 b2 26 de 91 7d fd dissect_ssl3_handshake session keys succesfully generated dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 56 ssl state 1F association_find: TCP port 2796 found 00000000 packet_from_server: is from server 0 decrypt_ssl3_record: using client decoder decrypt_ssl3_record: allocating 88 bytes for decrypt data (old len
32) ssl_decrypt_record ciphertext len 56 Ciphertext[56]: 6d 7d f5 48 fa ba e7 ae 11 f5 87 c4 07 06 b7 47 3b 3c 8c 35 cc 54 29 12 dd 07 39 d6 da 2b a8 63 e0 99 c2 51 85 12 7a 2a c0 21 fb 48 1c c0 d5 12 c1 2b 50 03 59 f4 da d1 Plaintext[56]: 14 00 00 24 dc 2c 0c 06 84 49 7c 70 fa a8 8c 51 6e 37 1f 74 a7 d6 19 2d 2f 7e 8e 0b c1 d6 b8 20 46 7a 83 5e 22 22 ce 54 66 5d c3 99 2a ef a6 23 4e d1 ba 1e f8 fd aa f6 checking mac (len 40, version 300, ct 22 seq 0) ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 36
bytes, remaining 40 dissect_ssl enter frame #12 dissect_ssl3_record: content_type 20 dissect_ssl3_change_cipher_spec dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 56 ssl state 1F association_find: TCP port 443 found 0750D888 packet_from_server: is from server 1 decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 56 Ciphertext[56]: bf be ec 8b fa 84 6d 27 a1 fb f0 f3 b2 d1 60 c2 23 58 8b 6e e5 06 b6 48 fb ca 4c d4 a7 f4 b3 1c d6 8f 4d c9 93 52 d3 c9 50 9e 73 d0 d3 6b 18 3f 62 b3 61 6f a3 84 3d 56 Plaintext[56]: 14 00 00 24 7b 3e 3b db 1c 81 d7 4e 9b 62 60 df c1 d2 16 15 04 1a 13 b5 77 c6 38 74 2a f1 bd c1 3b f8 88 cd 4f 09 6f 60 d2 b8 ea 8c c8 f8 57 fa 64 4b 2b 7c d5 22 46 50 checking mac (len 40, version 300, ct 22 seq 0) ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 36
bytes, remaining 40 dissect_ssl enter frame #13 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 440 ssl state 1F association_find: TCP port 2796 found 00000000 packet_from_server: is from server 0 decrypt_ssl3_record: using client decoder decrypt_ssl3_record: allocating 472 bytes for decrypt data (old
len 88) ssl_decrypt_record ciphertext len 440 Ciphertext[440]: 9d fa 13 77 27 d9 1b eb 1a e1 21 d7 4f 18 96 78 07 54 37 12 44 c5 b4 fc b7 45 90 b5 4d e1 c6 36 3a 64 e8 f7 e9 86 3c a7 d0 55 cb 8a ce 07 c6 fb b4 eb ab c1 90 20 31 09 9e 70 84 1a ff 9a d5 ea 46 da 37 9a 52 aa 4f 17 c3 cf dc cb e9 06 71 de a3 9e 36 d4 b1 3e 1b b6 67 b4 8e e8 2f 6e 41 dd e3 8f 48 2c a5 ba ee 7b af 08 82 2d 33 4e 48 c6 96 e2 be 23 1d aa 62 5a ff d5 12 e8 b1 da a4 4f 86 7f 5a c0 74 2a 8c 24 d6 46 9c 93 f1 09 89 a4 35 81 ee 53 94 c4 91 d9 c3 e1 0d 2e 72 02 0b a9 b6 30 35 a6 30 b6 10 f2 1e 99 63 27 cc 5f 43 8e 0b 2c 7f 04 ec 31 06 9e a5 34 fe a6 7c a4 0f 7e 51 c8 2a f3 bb fe 49 a6 28 15 0e 1d 7b 8d c1 48 33 a8 40 e7 d3 5e ec d4 70 1e 33 87 08 a3 b1 7f 0a 58 6d 92 cf 03 5b 35 05 f4 26 55 60 90 54 dc 4c 47 8d 9c b6 bb f5 db cc 9e 30 7b fc 23 42 8b 46 ff 53 be 8e 0f d8 95 f2 51 c2 88 18 b5 77 e2 b5 5b 57 00 0f c7 e4 33 18 f4 f7 d7 1f 06 5c a8 e4 76 52 ee f5 1b 44 42 2a 42 90 2e 13 15 f5 d4 4b b3 bc d2 1f 27 f9 d0 5b 6f 61 79 53 a6 26 a5 56 42 90 2c b2 38 9f e5 9e 09 ca 06 8e a1 b8 43 91 58 95 2f 5e 87 93 f5 a9 d0 0b be c0 5a b9 91 28 36 04 05 ac 55 5b 90 5e 51 28 c5 4f eb 95 36 f0 f9 36 b3 f1 c5 e4 1e 71 2f 5d 56 a2 1e 6a e4 07 9d 41 6f ef dc 9e 4f 91 f1 b6 21 69 9f 7d 00 36 47 75 08 cc 2f d3 a3 3b 19 d4 d5 9a a3 8c 0d d3 34 8e d0 c3 78 2b 56 1c 13 27 35 d9 61 c6 32 0d dd 66 7d 5d 7d 74 38 Plaintext[440]: 47 45 54 20 2f 63 75 73 74 6f 6d 65 72 2f 44 65 66 61 75 6c 74 2e 61 73 70 78 3f 55 49 44 3d 32 38 35 31 31 30 34 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 65 62 6d 61 69 6c 2d 76 64 63 2e 77 65 62 6d 61 69 6c 2e 61 6f 6c 2e 63 6f 6d 2f 32 31 34 36 32 2f 61 6f 6c 2f 65 6e 2d 75 73 2f 52 50 43 2f 47 65 74 4d 65 73 73 61 67 65 2e 61 73 70 78 3f 66 6f 6c 64 65 72 3d 4e 65 77 25 32 30 4d 61 69 6c 26 75 69 64 3d 31 2e 31 35 31 36 33 30 35 32 26 76 65 72 73 69 6f 6e 3d 32 31 34 36 32 26 75 73 65 72 3d 54 59 51 44 54 31 42 76 5a 41 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 75 73 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 7b 45 42 44 37 37 32 42 41 2d 43 31 31 34 2d 43 30 37 43 2d 38 41 45 32 2d 32 44 43 37 30 36 41 36 43 37 35 42 7d 29 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 67 6f 6c 64 65 6e 72 75 6c 65 68 65 61 6c 74 68 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d 0a 6f a1 04 21 01 b9 40 a2 b6 00 4e 13 7e c9 96 1c checking mac (len 424, version 300, ct 23 seq 1) ssl_decrypt_record: mac ok decrypt_ssl3_record: allocating app_data 424 bytes for app data decrypt_ssl3_record: setting decrypted app_data ptr 07A71FC0 association_find: TCP port 2796 found 00000000 association_find: TCP port 443 found 0750D888 association_find: TCP port 2796 found 00000000 association_find: TCP port 443 found 0750D888 dissect_ssl3_record decrypted len 424 dissect_ssl3_record found association 0750D888 decrypted app data: <HTTP request was here> dissect_ssl enter frame #15 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 299 ssl state 1F association_find: TCP port 443 found 0750D888 packet_from_server: is from server 1 decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 299 Ciphertext[299]: 20 a0 b4 b8 6c cb bc 27 3d 33 2d cf ad e2 bb d7 ef 21 98 c5 11 da a5 a1 95 d6 23 15 30 0b bb 3c 1b 71 d3 72 77 10 35 8c a4 14 98 eb 26 ba c4 e1 7d 73 6d ad d0 12 d2 97 85 6f be b8 28 bd 0e ae 4b 33 a5 2b a7 04 2d cb b4 d8 5b bb d2 75 a0 62 a7 1a 16 ad fb da 01 bc fe e9 cc 27 f0 65 80 d4 13 18 a3 19 0f ef 2d 46 c3 60 48 aa 04 32 ad 8b 2d f1 c3 11 23 74 ab 92 2d 3d f2 54 58 34 34 16 d6 5e a6 47 e7 f0 92 42 4e c5 62 7d f5 f8 a5 c9 c6 58 ce 2c c7 ba 1b d7 05 09 0b fe 5d a3 97 16 3d 52 ab 63 6d 06 7c 95 be 87 6a 6f ba dd 7a 89 b0 3c d6 57 6f a2 f8 54 02 91 1f 8a 06 74 cd 0e 9e 84 5f fc fc 4c b0 d7 18 3a 83 96 ca ee 11 09 1e 75 6f d3 bd d3 81 c0 36 1f f5 19 48 55 33 c7 09 5f 4a 88 21 17 66 f3 6b 22 73 ec 6c c2 39 ef a0 ae 2f 3b 2c fe da e4 c9 33 dd 34 51 85 2a 8f f2 d2 80 d0 b8 7b 2a 5a 9c f4 f6 4b e3 e3 0e 99 5a 12 06 c5 8d b2 10 b9 75 e1 26 f1 b6 c8 63 5d 05 b6 f2 03 6f 5d 6b d1 6d 51 a7 Plaintext[299]: 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 0d 0a 44 61 74 65 3a 20 54 75 65 2c 20 33 31 20 4f 63 74 20 32 30 30 36 20 31 35 3a 34 30 3a 32 38 20 47 4d 54 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 41 53 50 2e 4e 45 54 0d 0a 58 2d 41 73 70 4e 65 74 2d 56 65 72 73 69 6f 6e 3a 20 32 2e 30 2e 35 30 37 32 37 0d 0a 4c 6f 63 61 74 69 6f 6e 3a 20 2f 63 75 73 74 6f 6d 65 72 2f 43 75 73 74 6f 6d 65 72 4c 6f 67 6f 6e 2f 44 65 66 61 75 6c 74 2e 61 73 70 78 3f 55 49 44 3d 32 38 35 31 31 30 34 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 35 0d 0a 0d 0a 52 b2 c7 93 9b cc a5 4f bd 3a 45 26 4a 7d 11 78 checking mac (len 283, version 300, ct 23 seq 1) ssl_decrypt_record: mac ok decrypt_ssl3_record: allocating app_data 283 bytes for app data decrypt_ssl3_record: setting decrypted app_data ptr 07A722D0 association_find: TCP port 443 found 0750D888 association_find: TCP port 443 found 0750D888 dissect_ssl enter frame #17 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 181 ssl state 1F association_find: TCP port 443 found 0750D888 packet_from_server: is from server 1 decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 181 Ciphertext[181]: 84 d9 3c 38 1c a5 f8 14 86 19 08 a6 76 df 9e de 65 3c c0 0f ad 53 77 5f 10 d1 7e c4 38 fc 97 42 7e 6d 34 2f d7 90 50 5c 59 32 a6 01 97 87 02 14 03 e4 46 28 24 17 12 53 09 42 f5 f8 ad 6d b3 c7 11 a0 03 25 f8 a8 3f f8 48 d8 7a 76 b3 8a c0 84 f5 cd 33 05 91 33 fa dc a7 5f dd 1e de e9 e6 f4 19 1a d4 11 79 bd 80 30 09 33 c8 47 0a e2 b6 34 f9 27 86 60 18 68 43 f2 b4 b5 d2 86 7c 96 90 fe 05 c5 dc 9a 02 02 42 1d 93 5a 53 02 19 ec 14 41 91 4e 98 66 6d 8f 44 5c d2 81 42 b4 64 3b 36 2e 0f b8 dc 94 dd 8c fd 5d 05 5e a3 1a 7b 84 a5 b5 5d 30 65 72 c6 Plaintext[181]: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 2f 63 75 73 74 6f 6d 65 72 2f 43 75 73 74 6f 6d 65 72 4c 6f 67 6f 6e 2f 44 65 66 61 75 6c 74 2e 61 73 70 78 3f 55 49 44 3d 32 38 35 31 31 30 34 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 2e 10 ba 50 29 90 92 77 40 83 74 41 c9 2c 9f 67 checking mac (len 165, version 300, ct 23 seq 2) ssl_decrypt_record: mac ok decrypt_ssl3_record: allocating app_data 165 bytes for app data decrypt_ssl3_record: setting decrypted app_data ptr 07A724C0 association_find: TCP port 443 found 0750D888 association_find: TCP port 443 found 0750D888 dissect_ssl3_record decrypted len 448 dissect_ssl3_record found association 0750D888 decrypted app data: <HTTP response here> From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Vijay
Sitaram Hi Brian, Thanks for confirming that SSL
decryption worked. So far I have not been able to get the decryption
working on my end. Can you please confirm the version of
gnutls and libgcrypt that you are using? Also, it would be great if you
can copy and paste the output from ssldebug.txt. Kind regards, Vijay |
- Follow-Ups:
- Re: [Wireshark-users] SSL decryption -- RSA Key format
- From: Kukosa, Tomas
- Re: [Wireshark-users] SSL decryption -- RSA Key format
- References:
- Re: [Wireshark-users] SSL decryption -- RSA Key format
- From: Baker, Brian
- Re: [Wireshark-users] SSL decryption -- RSA Key format
- From: Vijay Sitaram
- Re: [Wireshark-users] SSL decryption -- RSA Key format
- Prev by Date: Re: [Wireshark-users] Please help decode DCERPC packets between W2K, a DC, and an Exchange Server
- Next by Date: [Wireshark-users] Are there plans to provide WPA+PSK decryption methods?
- Previous by thread: Re: [Wireshark-users] SSL decryption -- RSA Key format
- Next by thread: Re: [Wireshark-users] SSL decryption -- RSA Key format
- Index(es):