Wireshark-users: Re: [Wireshark-users] SSL Decryption on the Fly

From: "Robert D. Scott" <robert@xxxxxxx>
Date: Fri, 29 Feb 2008 13:53:06 -0500
Thanks.

The key is pass phrase protected, and already PEM. I discovered that 0.99.9
supports a pkcs12 file and password on the configuration files
(Accidentally). Since I had built the P12 is was easy to implement. I will
go back and generate a key file with no passphrase, if other users need to
do diagnostic sniffing, I am not sure I want the passwords used on my
production SSL modules floating around. :)

Robert D. Scott                 Robert@xxxxxxx
Senior Network Engineer         352-273-0113 Phone
CNS - Network Services          352-392-2061 CNS Receptionist
University of Florida           352-392-9440 FAX
Florida Lambda Rail             352-294-3571 FLR NOC
Gainesville, FL  32611


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Friday, February 29, 2008 12:51 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] SSL Decryption on the Fly


On Fri, Feb 29, 2008 at 10:17:44AM -0500, Robert D. Scott wrote:
> I am having trouble getting decrypted output.
> 
> Debug Output:
> ssl_init keys string:
> 128.227.21.54,443,http,L:\2007\satst\satst.erp.ufl.edu.cer
> ssl_init found host entry
> 128.227.21.54,443,http,L:\2007\satst\satst.erp.ufl.edu.cer
> ssl_init addr 128.227.21.54 port 443 filename
> L:\2007\satst\satst.erp.ufl.edu.cer
> ssl_load_key: can't import pem data
> 
> 
> I have all the original cert info for the server, the .csr, the .crt, and
> the .key 

It's the .key file that you should use. As the certificate itself will
be part of the SSL handshake, needs the private key that is linked to
the public key which is found in the certificate.

> Every combination I try generates the can't import pem data. I know this
is
> the right cert, because I built the pkcs12 file from them to load into our
> Cisco SSL offload module.

What does your .key file look like? It should look something like:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDDheBxxgRp9Zg/D6pGzTEx0sn4C6vkLj/ftPp62XVD8Af7VbE7
[...]
yjoTQnfWPSiXBfumTIGr+F4kYIP9uMTPIQpwcOlZGa2j
-----END RSA PRIVATE KEY-----

If it looks like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CB7BE7B5A318ACE6

ScuaEtGA1xy7iVvvntc4hZ9Kl0VOKmA9sOcfP1CnrUVpAuLoHPEXTsc10smlXwsl
[...]
yy7ANfGCZTWaWP89uOIwlXK0n8hHZjTjw5axBuWXvgWHNbvein7tsg==
-----END RSA PRIVATE KEY-----

then your keyfile is protected by a passphrase (which is a good
thing btw). Unfortunately Wireshark can't use passphrase protected keys
so you will need to use openssl (or something else) to create a
keyfile that is not protected by a passphrase.

(openssl rsa -in <old-keyfile> -out <new-keyfile> will ask you for the
passphrase and write the key to <new-keyfile> unencrypted)

If your keyfile looks binary, then it is probably in DER format, meaning
you will have to convert it to PEM. Again, openssl can help you out:

openssl rsa -inform DER -in old-keyfile> -out <new-keyfile>

I hope this helps,
Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users