Wireshark-users: Re: [Wireshark-users] wireshark ssl decryption for dummies

From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Wed, 13 Sep 2006 00:10:00 -0400
When I use 0.99.3 for Windows, I also have trouble with the SSL decodes.
When I use the Wiki example and look at the logs, I see:

In the logs, I keep seeing "decrypt ssl3 record: no session key"

Logs:
association_remove_handle removing ptr 02D39200 handle 0282E918
association_remove_handle removing ptr 02D321E8 handle 0282DD88
association_remove_handle removing ptr 02D32450 handle 0283F9F8
association_remove_handle removing ptr 02D34DC0 handle 0296AA40
ssl_init keys string 127.0.0.1,443,ssl,rsasnakeoil2.key
ssl_init found host entry 127.0.0.1,443,ssl,rsasnakeoil2.key
ssl_init addr 127.0.0.1 port 443 filename rsasnakeoil2.key
ssl_get_version: 1.5.0
ssl_init private key file rsasnakeoil2.key successfully loaded
association_add port 443 protocol ssl handle 02CF2C60
association_add port 443 protocol http handle 0282E918
association_add port 636 protocol ldap handle 0282DD88
association_add port 993 protocol imap handle 0283F9F8
association_add port 995 protocol pop handle 0296AA40
ssl_session_init: initializing ptr 03FA1978 size 568
association_find: port 38713 found 00000000
packet_from_server: is from server 0
dissect_ssl server 127.0.0.1:443
client random len: 16 padded to 32
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74 ssl state 11
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 2 offset 5 lenght 70 bytes,
remaning 79 
dissect_ssl3_hnd_hello_common found random state 13
dissect_ssl3_hnd_srv_hello found cipher 35, state 17
dissect_ssl3_hnd_srv_hello not enough data to generate key (required 37)
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 836 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 11 offset 84 lenght 832 bytes,
remaning 920 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 14 offset 925 lenght 0 bytes,
remaning 929 
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 132 ssl state 17
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 16 offset 5 lenght 128 bytes,
remaning 137 
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17
pre master encrypted[128]:
65 51 2d a6 d4 a7 38 df ac 79 1f 0b d9 b2 61 7d 
73 88 32 d9 f2 62 3a 8b 11 04 75 ca 42 ff 4e d9 
cc b9 fa 86 f3 16 2f 09 73 51 66 aa 29 cd 80 61 
0f e8 13 ce 5b 8e 0a 23 f8 91 5e 5f 54 70 80 8e 
7b 28 ef b6 69 b2 59 85 74 98 e2 7e d8 cc 76 80 
e1 b6 45 4d c7 cd 84 ce b4 52 79 74 cd e6 d7 d1 
9c ad ef 63 6c 0f f7 05 e4 4d 1a d3 cb 9c d2 51 
b5 61 cb ff 7c ee c7 bc 5e 15 a3 f2 52 0f bb 32 
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 79 bytes, decr_len 127
decypted_unstrip_pre_master[127]:
02 c8 3b d5 a5 24 3c 40 c7 6e 95 b9 46 da b2 79 
b1 06 ec 61 2d f7 f5 4a b7 62 b6 33 4b b3 05 ef 
90 14 59 72 08 d5 34 88 41 cc a6 96 f4 dd 97 9a 
dc 3a 6e 92 1f 3a e4 6b 5b fb 3f ee 46 59 62 f3 
f3 06 0f d1 1f f4 9d b2 29 08 c6 01 f5 c3 00 03 
00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 18 
87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 cb 
7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 
pre master secret[48]:
03 00 ff 84 56 6d a0 fb cc fd c6 c8 20 d5 f0 65 
18 87 b0 44 45 9c e3 92 f0 4d 32 cd 41 85 10 24 
cb 7a b3 01 36 3d 93 27 12 a4 7e 00 29 96 59 d8 
ssl_generate_keyring_material:PRF(pre_master_secret)
ssl3_prf: sha1_hash(1)
ssl3_prf: md5_hash(1) datalen 48
ssl3_prf: sha1_hash(2)
ssl3_prf: md5_hash(2) datalen 48
ssl3_prf: sha1_hash(3)
ssl3_prf: md5_hash(3) datalen 48
master secret[48]:
1e db 35 95 b8 18 b3 52 58 f3 07 3f e6 af 8a a6 
ab c3 a4 ed 66 3a 46 86 b6 e5 49 2a 7c f7 8c c2 
ac 22 bb 13 15 0f d8 62 a2 39 23 7b c2 ff 28 fb 
ssl_generate_keyring_material sess key generation
ssl3_prf: sha1_hash(1)
ssl3_prf: md5_hash(1) datalen 48
ssl3_prf: sha1_hash(2)
ssl3_prf: md5_hash(2) datalen 48
ssl3_prf: sha1_hash(3)
ssl3_prf: md5_hash(3) datalen 48
ssl3_prf: sha1_hash(4)
ssl3_prf: md5_hash(4) datalen 48
ssl3_prf: sha1_hash(5)
ssl3_prf: md5_hash(5) datalen 48
ssl3_prf: sha1_hash(6)
ssl3_prf: md5_hash(6) datalen 48
ssl3_prf: sha1_hash(7)
ssl3_prf: md5_hash(7) datalen 48
(...)

Am I missing something obvious?

--Jim

James Small
ANALYSTS 
 INTERNATIONAL
SEQUOIA SERVICES GROUP