Wireshark-users: Re: [Wireshark-users] tShark SSL Decryption Issue
From: "Robert D. Scott" <robert@xxxxxxx>
Date: Mon, 3 Mar 2008 08:08:49 -0500
A little more info on the server:
Is there only 1 Web listener on a single IP and all the sights use URI
information to direct http requests to the correct web?

The two packets you included from your debug file 1 & 18 are
"packet_from_server: is from server - FALSE". These did not come from the IP
address you have configured in your "ssl_init keys string".


Robert 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Al Aghili
Sent: Friday, February 29, 2008 6:36 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] tShark SSL Decryption Issue


Hi,
We are trying to use tShark to decrypt SSL communication in our network. We
have one web server with multiple sites on it. So we use a single
Certificate and it all works from port 443. tShark is installed on Linux
(SLUES) to be exact. We are able to see decrypted messages for some of the
web sites on this web server but not all. When I run it in debug mode I see
below error messages. 
 
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
 
What is interesting is that we always see messages to some of the web sites
but some of the other ones it never gets decrypted as if its specific to the
site even though they are all running on the same server and the same port
using the same certificate.
 
This is an urgent issue for us so any help is greatly appreciated.
 
Thanks
Al
 
ssl_init keys string:
192.168.15.30,443,http,/home/application/cert.pem
ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem
ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem
ssl_init private key file /home/application/cert.pem successfully loaded
association_add TCP port 443 protocol http handle 0x81e3288
association_find: TCP port 636 found 0x86868b0
ssl_association_remove removing TCP 636 - ldap handle 0x81f9250
association_add TCP port 636 protocol ldap handle 0x81f9250
association_find: TCP port 993 found 0x86868e8
ssl_association_remove removing TCP 993 - imap handle 0x81d1c18
association_add TCP port 993 protocol imap handle 0x81d1c18
association_find: TCP port 995 found 0x8686920
ssl_association_remove removing TCP 995 - pop handle 0x8255678
association_add TCP port 995 protocol pop handle 0x8255678
 
dissect_ssl enter frame #10 (first time)
ssl_session_init: initializing ptr 0xb48c2988 size 564
association_find: TCP port 40685 found (nil)
packet_from_server: is from server - FALSE
dissect_ssl server 192.168.15.30:443
dissect_ssl3_record found version 0x0301 -> state 0x10
dissect_ssl3_record: content_type 21
decrypt_ssl3_record: app_data len 22 ssl, state 0x10
association_find: TCP port 40685 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
dissect_ssl enter frame #18 (first time)
ssl_session_init: initializing ptr 0xb48c2de0 size 564
association_find: TCP port 40686 found (nil)
packet_from_server: is from server - FALSE
dissect_ssl server 192.168.15.30:443
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 143 ssl, state 0x00
association_find: TCP port 40686 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes,
remaining 148 
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01