Wireshark-users: Re: [Wireshark-users] Decrypt SSL fails withtestcaseSampleCaptures/snakeoil2_070
From: "Kukosa, Tomas" <tomas.kukosa@xxxxxxxxxxx>
Date: Tue, 17 Jul 2007 12:04:15 +0200
Unfortunately I have no idea what could go wrong and I am not able to investigate it as I have only Windows environment. Tomas > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of > Daniel Kabs > Sent: Tuesday, July 17, 2007 11:50 AM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Decrypt SSL fails > withtestcaseSampleCaptures/snakeoil2_070531.tgz > > Hello Tomas, > > On Tuesday 17 July 2007 08:46, Kukosa, Tomas wrote: > > it is strange as it works fine for me (on Windows). > > My debug output is attached. Could you try to compare it > with your one? > > Where the difference starts? > > Thanks for sending your debug output. I compared your output > against mine: > > The first difference occurs right at the start, where the > private key is > associated: > > ssl_init keys string: > 127.0.0.1,443,http,/tmp/rsasnakeoil2.key > ssl_init found host entry 127.0.0.1,443,http,/tmp/rsasnakeoil2.key > ssl_init addr 127.0.0.1 port 443 filename /tmp/rsasnakeoil2.key > ssl_init private key file /tmp/rsasnakeoil2.key successfully loaded > association_add TCP port 443 protocol http handle 0x8353a00 > association_find: TCP port 443 found 0x86b4f58 > ssl_association_remove removing TCP 443 - http handle 0x8353a00 > association_add TCP port 443 protocol http handle 0x8353a00 > association_find: TCP port 636 found 0x8671f98 > ssl_association_remove removing TCP 636 - ldap handle 0x8391600 > association_add TCP port 636 protocol ldap handle 0x8391600 > association_find: TCP port 993 found 0x8671fd0 > ssl_association_remove removing TCP 993 - imap handle 0x837c6d8 > association_add TCP port 993 protocol imap handle 0x837c6d8 > association_find: TCP port 995 found 0x8672008 > ssl_association_remove removing TCP 995 - pop handle 0x842b7e0 > association_add TCP port 995 protocol pop handle 0x842b7e0 > > I think this output is ok as the private key file was loaded > successfully. > > The debug output continues with only minor differences in the > "association > find" lines. Example: > > yours (Windows): > association_find: TCP port 443 found 02CBB520 > > mine (Linux): > association_find: TCP port 443 found 0x86b4f58 > > Again I think this output is ok. The different pointer > addresses are due > to the different operating systems. > > The output continues without other differences. Event the "pre master > encrypted[128]" in frame #8 is the same. > > After those lines, the following major differences show up. > > yours (Windows): > pcry_private_decrypt: stripping 79 bytes, decr_len 127 > decypted_unstrip_pre_master[127]: > 02 c8 3b d5 a5 24 3c 40 c7 6e 95 b9 46 da b2 79 > b1 06 ec 61 2d f7 f5 4a b7 62 b6 33 4b b3 05 ef > 90 14 59 72 08 d5 34 88 41 cc a6 96 f4 dd 97 9a > dc 3a 6e 92 1f 3a e4 6b 5b fb 3f ee 46 59 62 f3 > f3 06 0f d1 1f f4 9d b2 29 08 c6 01 f5 c3 00 03 > 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 18 > 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 cb > 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 > pre master secret[48]: > 03 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 > 18 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 > cb 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 > > mine (Linux): > pcry_private_decrypt: stripping 3 bytes, decr_len 128 > decypted_unstrip_pre_master[128]: > 05 06 00 58 14 ed 5f e1 ca 0d 53 d9 87 43 80 4d > 4f 9e 10 67 24 fc 60 eb f1 ff 3d 1c 74 ef b5 52 > 13 01 cf 06 53 89 ca 80 a2 b8 ee 20 ff 90 92 3a > 17 c7 0c db fe dd 99 c2 f2 47 21 c1 b7 fa 66 59 > bc 61 22 0d 58 e2 64 35 63 1e 71 32 c5 aa 26 18 > ba c8 e4 e2 c2 10 de ab 78 25 b4 d7 de 3b 26 c4 > 8c 24 c5 32 39 a2 08 76 3e d5 55 29 ca 12 da fe > 2b 9c 32 b5 b9 1a 88 0d d8 01 df 31 75 6f a7 cb > ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (125, > expected 48) > dissect_ssl3_handshake can't decrypt pre master secret > > The first line > > pcry_private_decrypt: stripping 3 bytes, decr_len 128 > > is from ssl_private_decrypt() (in packet-ssl-utils.c). I - > with my limited > knowlege of the SSL internals gained from reading the > wireshark source > code - interpret it as follows: the pre master secret has > been decrypted. > It contains padding data. The padding data ends with a byte > containing > zero. The padding is searched and stripped from the decrypted > data. On my > computer, the decrypted data contains only three bytes of > padding. This > is too short. > > So I guess decryption in libgcrypt[1] is defective on my computer. > > Any ideas what I can do about it? > > Cheers > Daniel > > [1] libgcrypt version 1.2.3 api-version 1 > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users >
- References:
- [Wireshark-users] Decrypt SSL fails with testcase SampleCaptures/snakeoil2_070531.tgz
- From: Daniel Kabs
- Re: [Wireshark-users] Decrypt SSL fails with testcaseSampleCaptures/snakeoil2_070531.tgz
- From: Kukosa, Tomas
- Re: [Wireshark-users] Decrypt SSL fails with testcaseSampleCaptures/snakeoil2_070531.tgz
- From: Daniel Kabs
- [Wireshark-users] Decrypt SSL fails with testcase SampleCaptures/snakeoil2_070531.tgz
- Prev by Date: Re: [Wireshark-users] Decrypt SSL fails with testcaseSampleCaptures/snakeoil2_070531.tgz
- Next by Date: Re: [Wireshark-users] Capture Only RTCP
- Previous by thread: Re: [Wireshark-users] Decrypt SSL fails with testcaseSampleCaptures/snakeoil2_070531.tgz
- Next by thread: [Wireshark-users] How to get Average RTT
- Index(es):