Wireshark-users: [Wireshark-users] Decrypt SSL fails with testcase SampleCaptures/snakeoil2_07053

From: Daniel Kabs <dkabs@xxxxxxxxxxx>
Date: Mon, 16 Jul 2007 19:14:00 +0200
Hi there,

I just downloaded and compiled[1] Wireshark release 0.99.6 on Linux 
(Debian "Etch" release 4.0).

Then I tried to decrypt the sample capture of an SSL connection provided 
in the Wireshark wiki:

  http://wiki.wireshark.org/SSL

In the SSL preferences, I specified the RSA private key "rsasnakeoil2.key" 
which came with the captured data. Additionally I specified a SSL debug 
file.

When I load the capture file "rsasnakeoil2.cap" into Wireshark and view 
packets that contain "Application Data", the data is still encrypted.

The debug file shows that the RSA private key has been loaded:

  ssl_init private key file /home/daniel/mx12/httpd_privkey.pem
  successfully loaded

but according to the debug file Wireshark fails to decrypt the pre master 
secret which is exchanged in frame #8:

  dissect_ssl enter frame #8 (first time)
  ...
  pre master encrypted[128]:
  ...
  ssl_decrypt_pre_master_secret:RSA_private_decrypt
  pcry_private_decrypt: stripping 0 bytes, decr_len 128
  decypted_unstrip_pre_master[128]:
  ...
  ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128,
  expected 48)
  dissect_ssl3_handshake can't decrypt pre master secret

What can be the reason for to long a pre master secret? Are there any 
other prerequisites I have to do to decrypt SSL successfully? 


Cheers
Daniel


[1] Compiled with GTK+ 2.8.20, with GLib 2.12.4, with libpcap 0.9.5, with 
libz 1.2.3, with libpcre 6.7, without Net-SNMP, without ADNS, without 
Lua, with GnuTLS 1.0.16, with Gcrypt 1.2.3, with MIT Kerberos, without 
PortAudio, without AirPcap.