Wireshark-users: [Wireshark-users] tShark SSL Decryption Issue

Date Prev · Date Next · Thread Prev · Thread Next
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Feb 2008 16:35:38 -0700

Hi,

We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages.

 

decrypt_ssl3_record: using client decoder

decrypt_ssl3_record: no decoder available

 

 

What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate.

 

This is an urgent issue for us so any help is greatly appreciated.

 

Thanks

Al

 

ssl_init keys string:

192.168.15.30,443,http,/home/application/cert.pem

ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem

ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem

ssl_init private key file /home/application/cert.pem successfully loaded

association_add TCP port 443 protocol http handle 0x81e3288

association_find: TCP port 636 found 0x86868b0

ssl_association_remove removing TCP 636 - ldap handle 0x81f9250

association_add TCP port 636 protocol ldap handle 0x81f9250

association_find: TCP port 993 found 0x86868e8

ssl_association_remove removing TCP 993 - imap handle 0x81d1c18

association_add TCP port 993 protocol imap handle 0x81d1c18

association_find: TCP port 995 found 0x8686920

ssl_association_remove removing TCP 995 - pop handle 0x8255678

association_add TCP port 995 protocol pop handle 0x8255678

 

dissect_ssl enter frame #10 (first time)

ssl_session_init: initializing ptr 0xb48c2988 size 564

association_find: TCP port 40685 found (nil)

packet_from_server: is from server - FALSE

dissect_ssl server 192.168.15.30:443

dissect_ssl3_record found version 0x0301 -> state 0x10

dissect_ssl3_record: content_type 21

decrypt_ssl3_record: app_data len 22 ssl, state 0x10

association_find: TCP port 40685 found (nil)

packet_from_server: is from server - FALSE

decrypt_ssl3_record: using client decoder

decrypt_ssl3_record: no decoder available

 

dissect_ssl enter frame #18 (first time)

ssl_session_init: initializing ptr 0xb48c2de0 size 564

association_find: TCP port 40686 found (nil)

packet_from_server: is from server - FALSE

dissect_ssl server 192.168.15.30:443

dissect_ssl3_record: content_type 22

decrypt_ssl3_record: app_data len 143 ssl, state 0x00

association_find: TCP port 40686 found (nil)

packet_from_server: is from server - FALSE

decrypt_ssl3_record: using client decoder

decrypt_ssl3_record: no decoder available

dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes, remaining 148

dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01