Wireshark · Wireshark-users: Re: [Wireshark-users] need help with decrypting ssl messages

Wireshark-users: Re: [Wireshark-users] need help with decrypting ssl messages

From: "Burks, Doug" <doug.burks@xxxxxxxxxx>

Date: Thu, 14 Oct 2010 15:47:58 -0400

Your preferences config looks correct (it should be "http" NOT "https").


Two questions:
1.  Does your capture contain the ENTIRE conversation (including the
Client Hello)?
2.  Have you tried "Follow SSL Stream" instead of "Follow TCP Stream"?

Regards,
--
Doug Burks, GSE, CISSP

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Al
Sent: Thursday, October 14, 2010 3:15 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] need help with decrypting ssl messages


 I followed a guide where I extracted
 my private key and insert it into the SSL from wireshark  preferences
like:
 
 123.456.55.678,443,http,C:\testkey.pem
 
 I tried both http and https - i thought since i am talking  to server
in https it might be https? Anyway, both failed to  decrypt (still see
jargon raw data when i view TCP stream.
 The debug log gives me:
 
 
 ssl_association_remove removing TCP 443 - http handle
 03164D48
 ssl_init keys string:
 123.456.55.678,443,http,C:\testkey.pem
 ssl_init found host entry
 123.456.55.678,443,http,C:\testkey.pem
ssl_init addr '123.456.55.678' port '443' filename  'C:\testkey.pem'
password(only for p12 file) '(null)'
 Private key imported: KeyID
 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:...
 ssl_init private key file C:\testkey.pem successfully  loaded
association_add TCP port 443 protocol http handle 03164D48
 
 dissect_ssl enter frame #4 (first time)
 ssl_session_init: initializing ptr 04E41BAC size 584
   conversation = 04E41868, ssl_session = 04E41BAC
   record: offset = 0, reported_length_remaining = 100
 packet_from_server: is from server - FALSE  ssl_find_private_key server
123.456.55.678:443  client random len: 32 padded to 32
dissect_ssl2_hnd_client_hello found CLIENT RANDOM ->  state 0x01
........
 
 
 So it seems the key has been found and loaded BUT when i  check the
STOPPED TCP stream it is still all jargon... what  am i doing wrong
here? thanks
 
 I am pretty sure i am on the right server since the key is loaded and i
checked netstat and found the ip of the webservice... but still from
wire shark the client basically does handshake and cert check with
server and then afterwards server just sends "fin" and ends it....
really not sure whats going on here...
 
 
       
 


      
________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-users] need help with decrypting ssl messages
  - From: Al
- Re: [Wireshark-users] need help with decrypting ssl messages
  - From: Al

References:
- [Wireshark-users] need help with decrypting ssl messages
  - From: Al

Prev by Date: [Wireshark-users] need help with decrypting ssl messages
Next by Date: Re: [Wireshark-users] need help with decrypting ssl messages
Previous by thread: [Wireshark-users] need help with decrypting ssl messages
Next by thread: Re: [Wireshark-users] need help with decrypting ssl messages
Index(es):
- Date
- Thread