Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: need help with decrypting ssl messages

From: Al <shaselai () yahoo com>
Date: Sun, 17 Oct 2010 19:04:01 -0700 (PDT)
hey,

  did you get my last response? possible to help out? thanks

--- On Thu, 10/14/10, Burks, Doug <doug.burks () morris com> wrote:


From: Burks, Doug <doug.burks () morris com>
Subject: Re: [Wireshark-users] need help with decrypting ssl messages
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Date: Thursday, October 14, 2010, 3:47 PM
Your preferences config looks correct
(it should be "http" NOT "https").


Two questions:
1.  Does your capture contain the ENTIRE conversation
(including the
Client Hello)?
2.  Have you tried "Follow SSL Stream" instead of
"Follow TCP Stream"?

Regards,
--
Doug Burks, GSE, CISSP

-----Original Message-----
From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org]
On Behalf Of Al
Sent: Thursday, October 14, 2010 3:15 PM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] need help with decrypting ssl
messages


 I followed a guide where I extracted
 my private key and insert it into the SSL from
wireshark  preferences
like:
 
 123.456.55.678,443,http,C:\testkey.pem
 
 I tried both http and https - i thought since i am
talking  to server
in https it might be https? Anyway, both failed to 
decrypt (still see
jargon raw data when i view TCP stream.
 The debug log gives me:
 
 
 ssl_association_remove removing TCP 443 - http handle
 03164D48
 ssl_init keys string:
 123.456.55.678,443,http,C:\testkey.pem
 ssl_init found host entry
 123.456.55.678,443,http,C:\testkey.pem
ssl_init addr '123.456.55.678' port '443' filename 
'C:\testkey.pem'
password(only for p12 file) '(null)'
 Private key imported: KeyID
 01:31:a7:9e:fc:94:8b:08:2f:17:65:13:20:f9:d3:81:...
 ssl_init private key file C:\testkey.pem
successfully  loaded
association_add TCP port 443 protocol http handle 03164D48
 
 dissect_ssl enter frame #4 (first time)
 ssl_session_init: initializing ptr 04E41BAC size 584
   conversation = 04E41868, ssl_session =
04E41BAC
   record: offset = 0,
reported_length_remaining = 100
 packet_from_server: is from server - FALSE 
ssl_find_private_key server
123.456.55.678:443  client random len: 32 padded to
32
dissect_ssl2_hnd_client_hello found CLIENT RANDOM
->  state 0x01
........
 
 
 So it seems the key has been found and loaded BUT when
i  check the
STOPPED TCP stream it is still all jargon... what  am
i doing wrong
here? thanks
 
 I am pretty sure i am on the right server since the key is
loaded and i
checked netstat and found the ip of the webservice... but
still from
wire shark the client basically does handshake and cert
check with
server and then afterwards server just sends "fin" and ends
it....
really not sure whats going on here...
 
 
       
 


      
________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
         
   mailto:wireshark-users-request () wireshark org?subject=unsubscribe




      
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: