Wireshark-users: Re: [Wireshark-users] tShark SSL Decryption Issue
From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 4 Mar 2008 17:46:21 +0100
Hi Al,

There are a few common reasons for Wireshark not being able
to decrypt ssl traffic.

First of all, Wireshark might not be able to read the key (either
it's not there or it's in the wrong format or it might be protected
with a passphrase). In your logfile you have the message
"ssl_init private key file /home/application/cert.pem successfully loaded"
so this is not the problem you are facing.

Secondly, Wireshark needs to "see" the whole SSL handshake to be
able to calculate all the keys for the ssl session. If you only
see ClientHello, ServerHello, ChangeCipherspec... and not
ClientHello, ServerHello, Certificate, ServerHelloDone...
then the ssl-session is reused and Wireshark can't decrypt it
(unless the ssl-session with the full ssl handshake is also
in the trace). In order to capture the whole ssl negotiation,
make sure you start your capture *before* you start to communicate
with the server. When you use a browser, make sure you close it,
then start the capture, then start the browser and open the
URL.

A third reason is that many ssl clients nowadays use a cipher
that uses Diffie Hellman to negotiate the secret keys. When 
DH is not used, the private key of the server is used as seed
for the negotiation of the secret keys. The combination of the
whole ssl handshake and the private key makes it possible for
Wireshark to calculate the secret keys. When DH is used, random
data is used in negotiating the secret keys. This prevents
Wireshark from decrypting the traffic as it can't calculate 
the secret keys used for the encryption. Look at the Cipher
Suite in the ServerHello message, if it contains DH or DHE, then
this is the issue you are facing. You can configure your
ssl client or ssl server to not accept DH ciphers for testing
purposes.

Hope this helps,
Cheers,
    Sake

On Tue, Mar 04, 2008 at 08:43:51AM -0700, Al Aghili wrote:
> Hi, 
> Does anyone have any ideas about this? Could it have to do with the
> client certificates?
> Any help is appreciated as this is an urgent issue for us.
> 
> Thanks
> Al
> 
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Robert D.
> Scott
> Sent: Monday, March 03, 2008 6:09 AM
> To: 'Community support list for Wireshark'
> Subject: Re: [Wireshark-users] tShark SSL Decryption Issue
> 
> A little more info on the server:
> Is there only 1 Web listener on a single IP and all the sights use URI
> information to direct http requests to the correct web?
> 
> The two packets you included from your debug file 1 & 18 are
> "packet_from_server: is from server - FALSE". These did not come from
> the IP
> address you have configured in your "ssl_init keys string".
> 
> 
> Robert 
> 
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Al Aghili
> Sent: Friday, February 29, 2008 6:36 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] tShark SSL Decryption Issue
> 
> 
> Hi,
> We are trying to use tShark to decrypt SSL communication in our network.
> We
> have one web server with multiple sites on it. So we use a single
> Certificate and it all works from port 443. tShark is installed on Linux
> (SLUES) to be exact. We are able to see decrypted messages for some of
> the
> web sites on this web server but not all. When I run it in debug mode I
> see
> below error messages. 
>  
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
>  
>  
> What is interesting is that we always see messages to some of the web
> sites
> but some of the other ones it never gets decrypted as if its specific to
> the
> site even though they are all running on the same server and the same
> port
> using the same certificate.
>  
> This is an urgent issue for us so any help is greatly appreciated.
>  
> Thanks
> Al
>  
> ssl_init keys string:
> 192.168.15.30,443,http,/home/application/cert.pem
> ssl_init found host entry
> 192.168.15.30,443,http,/home/application/cert.pem
> ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem
> ssl_init private key file /home/application/cert.pem successfully loaded
> association_add TCP port 443 protocol http handle 0x81e3288
> association_find: TCP port 636 found 0x86868b0
> ssl_association_remove removing TCP 636 - ldap handle 0x81f9250
> association_add TCP port 636 protocol ldap handle 0x81f9250
> association_find: TCP port 993 found 0x86868e8
> ssl_association_remove removing TCP 993 - imap handle 0x81d1c18
> association_add TCP port 993 protocol imap handle 0x81d1c18
> association_find: TCP port 995 found 0x8686920
> ssl_association_remove removing TCP 995 - pop handle 0x8255678
> association_add TCP port 995 protocol pop handle 0x8255678
>  
> dissect_ssl enter frame #10 (first time)
> ssl_session_init: initializing ptr 0xb48c2988 size 564
> association_find: TCP port 40685 found (nil)
> packet_from_server: is from server - FALSE
> dissect_ssl server 192.168.15.30:443
> dissect_ssl3_record found version 0x0301 -> state 0x10
> dissect_ssl3_record: content_type 21
> decrypt_ssl3_record: app_data len 22 ssl, state 0x10
> association_find: TCP port 40685 found (nil)
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
>  
> dissect_ssl enter frame #18 (first time)
> ssl_session_init: initializing ptr 0xb48c2de0 size 564
> association_find: TCP port 40686 found (nil)
> packet_from_server: is from server - FALSE
> dissect_ssl server 192.168.15.30:443
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 143 ssl, state 0x00
> association_find: TCP port 40686 found (nil)
> packet_from_server: is from server - FALSE
> decrypt_ssl3_record: using client decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes,
> remaining 148 
> dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
>  
>  
>  
>  
>  
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users