Hi there,
I just downloaded and compiled[1] Wireshark release 0.99.6 on Linux
(Debian "Etch" release 4.0).
Then I tried to decrypt the sample capture of an SSL connection provided
in the Wireshark wiki:
http://wiki.wireshark.org/SSL
In the SSL preferences, I specified the RSA private key "rsasnakeoil2.key"
which came with the captured data. Additionally I specified a SSL debug
file.
When I load the capture file "rsasnakeoil2.cap" into Wireshark and view
packets that contain "Application Data", the data is still encrypted.
The debug file shows that the RSA private key has been loaded:
ssl_init private key file /home/daniel/mx12/httpd_privkey.pem
successfully loaded
but according to the debug file Wireshark fails to decrypt the pre master
secret which is exchanged in frame #8:
dissect_ssl enter frame #8 (first time)
...
pre master encrypted[128]:
...
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 0 bytes, decr_len 128
decypted_unstrip_pre_master[128]:
...
ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128,
expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
What can be the reason for to long a pre master secret? Are there any
other prerequisites I have to do to decrypt SSL successfully?
Cheers
Daniel
[1] Compiled with GTK+ 2.8.20, with GLib 2.12.4, with libpcap 0.9.5, with
libz 1.2.3, with libpcre 6.7, without Net-SNMP, without ADNS, without
Lua, with GnuTLS 1.0.16, with Gcrypt 1.2.3, with MIT Kerberos, without
PortAudio, without AirPcap.