Wireshark-users: Re: [Wireshark-users] tShark SSL Decryption Issue
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Tue, 4 Mar 2008 14:22:53 -0700
Sake, Thank you very much. I'll pursue the third reason and see if that makes a difference. Al -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok Sent: Tuesday, March 04, 2008 9:46 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] tShark SSL Decryption Issue Hi Al, There are a few common reasons for Wireshark not being able to decrypt ssl traffic. First of all, Wireshark might not be able to read the key (either it's not there or it's in the wrong format or it might be protected with a passphrase). In your logfile you have the message "ssl_init private key file /home/application/cert.pem successfully loaded" so this is not the problem you are facing. Secondly, Wireshark needs to "see" the whole SSL handshake to be able to calculate all the keys for the ssl session. If you only see ClientHello, ServerHello, ChangeCipherspec... and not ClientHello, ServerHello, Certificate, ServerHelloDone... then the ssl-session is reused and Wireshark can't decrypt it (unless the ssl-session with the full ssl handshake is also in the trace). In order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL. A third reason is that many ssl clients nowadays use a cipher that uses Diffie Hellman to negotiate the secret keys. When DH is not used, the private key of the server is used as seed for the negotiation of the secret keys. The combination of the whole ssl handshake and the private key makes it possible for Wireshark to calculate the secret keys. When DH is used, random data is used in negotiating the secret keys. This prevents Wireshark from decrypting the traffic as it can't calculate the secret keys used for the encryption. Look at the Cipher Suite in the ServerHello message, if it contains DH or DHE, then this is the issue you are facing. You can configure your ssl client or ssl server to not accept DH ciphers for testing purposes. Hope this helps, Cheers, Sake On Tue, Mar 04, 2008 at 08:43:51AM -0700, Al Aghili wrote: > Hi, > Does anyone have any ideas about this? Could it have to do with the > client certificates? > Any help is appreciated as this is an urgent issue for us. > > Thanks > Al > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Robert D. > Scott > Sent: Monday, March 03, 2008 6:09 AM > To: 'Community support list for Wireshark' > Subject: Re: [Wireshark-users] tShark SSL Decryption Issue > > A little more info on the server: > Is there only 1 Web listener on a single IP and all the sights use URI > information to direct http requests to the correct web? > > The two packets you included from your debug file 1 & 18 are > "packet_from_server: is from server - FALSE". These did not come from > the IP > address you have configured in your "ssl_init keys string". > > > Robert > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Al Aghili > Sent: Friday, February 29, 2008 6:36 PM > To: wireshark-users@xxxxxxxxxxxxx > Subject: [Wireshark-users] tShark SSL Decryption Issue > > > Hi, > We are trying to use tShark to decrypt SSL communication in our network. > We > have one web server with multiple sites on it. So we use a single > Certificate and it all works from port 443. tShark is installed on Linux > (SLUES) to be exact. We are able to see decrypted messages for some of > the > web sites on this web server but not all. When I run it in debug mode I > see > below error messages. > > decrypt_ssl3_record: using client decoder > decrypt_ssl3_record: no decoder available > > > What is interesting is that we always see messages to some of the web > sites > but some of the other ones it never gets decrypted as if its specific to > the > site even though they are all running on the same server and the same > port > using the same certificate. > > This is an urgent issue for us so any help is greatly appreciated. > > Thanks > Al > > ssl_init keys string: > 192.168.15.30,443,http,/home/application/cert.pem > ssl_init found host entry > 192.168.15.30,443,http,/home/application/cert.pem > ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem > ssl_init private key file /home/application/cert.pem successfully loaded > association_add TCP port 443 protocol http handle 0x81e3288 > association_find: TCP port 636 found 0x86868b0 > ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 > association_add TCP port 636 protocol ldap handle 0x81f9250 > association_find: TCP port 993 found 0x86868e8 > ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 > association_add TCP port 993 protocol imap handle 0x81d1c18 > association_find: TCP port 995 found 0x8686920 > ssl_association_remove removing TCP 995 - pop handle 0x8255678 > association_add TCP port 995 protocol pop handle 0x8255678 > > dissect_ssl enter frame #10 (first time) > ssl_session_init: initializing ptr 0xb48c2988 size 564 > association_find: TCP port 40685 found (nil) > packet_from_server: is from server - FALSE > dissect_ssl server 192.168.15.30:443 > dissect_ssl3_record found version 0x0301 -> state 0x10 > dissect_ssl3_record: content_type 21 > decrypt_ssl3_record: app_data len 22 ssl, state 0x10 > association_find: TCP port 40685 found (nil) > packet_from_server: is from server - FALSE > decrypt_ssl3_record: using client decoder > decrypt_ssl3_record: no decoder available > > dissect_ssl enter frame #18 (first time) > ssl_session_init: initializing ptr 0xb48c2de0 size 564 > association_find: TCP port 40686 found (nil) > packet_from_server: is from server - FALSE > dissect_ssl server 192.168.15.30:443 > dissect_ssl3_record: content_type 22 > decrypt_ssl3_record: app_data len 143 ssl, state 0x00 > association_find: TCP port 40686 found (nil) > packet_from_server: is from server - FALSE > decrypt_ssl3_record: using client decoder > decrypt_ssl3_record: no decoder available > dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes, > remaining 148 > dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 > > > > > > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
- References:
- Re: [Wireshark-users] tShark SSL Decryption Issue
- From: Sake Blok
- Re: [Wireshark-users] tShark SSL Decryption Issue
- Prev by Date: Re: [Wireshark-users] Wireshark only capturing TCP handshake
- Next by Date: Re: [Wireshark-users] Wireshark only capturing TCP handshake
- Previous by thread: Re: [Wireshark-users] tShark SSL Decryption Issue
- Next by thread: [Wireshark-users] Remote manager for wireshark dump?
- Index(es):