Wireshark-users: Re: [Wireshark-users] tShark SSL Decryption Issue

From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Mon, 3 Mar 2008 07:16:15 -0700
Hi Robert,
Thank you for you response. To answer your question for the server issue
yes it's a single IP and all of the sights use the URI information
direct to the correct web.

Your second question is yes the packets did not come from the IP in the
ssl_init string but they are going to the ip in the ssl_init string. I
don't have to add all of the client IP addresses do I? I've also
attached the frame that did get decrypted correctly. The difference I
see is one did find the client decoded the other didn't. Not sure where
this error is coming from.

Thanks for you help on this issue.

dissect_ssl enter frame #785 (first time)
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 840 ssl, state 0x1F
association_find: TCP port 44327 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 840
Ciphertext[840]:
75 e4 02 99 be 2f 71 cb 39 ae b4 5f 69 01 17 a1 
e9 79 76 49 56 59 78 cc d7 0a d9 e0 32 e9 d3 40 
6e 78 3d 31 66 1f 45 48 79 04 52 20 37 1b 1e 3e 
6a 12 54 7f 87 3f fa 6b 29 ad 36 20 19 ff 97 9b 
00 65 0b 4b bf e6 3b 2e 2c 92 5c ea d1 f8 a0 a3 
a6 67 32 93 a6 72 69 99 40 37 aa ae 5e e7 ee a0 
d0 7e 8b 2c 1e cb ea db 66 17 5b da f1 0f f5 bf 
0c 02 43 0e 12 b5 f1 d5 13 c5 c1 20 f3 70 2d e8 
e0 21 5a 16 11 ba 6d ca fc b4 fc 97 32 71 d9 03 
91 61 20 c0 34 3c 6a 1f 27 5b 62 ef f0 fd d2 0d 
0c 4a cf c5 e3 c5 11 e4 16 87 ec b5 e7 1d 85 9b 
04 aa af de 08 6c 2b fb 18 8e bb e5 ec 54 f7 9d 
bf 11 fe d3 7c 77 b6 42 df 78 78 06 04 ee 5b 8c 
81 e4 89 2f c8 4e 1c 88 11 78 e6 93 85 2b be 48 
db 57 57 63 33 02 07 22 5b 5d 06 a8 67 05 ff 72 
c8 49 d8 68 1f fb 58 7b b0 c3 36 62 e3 7c c3 7a 
90 d7 37 62 76 23 5e 84 65 eb 26 27 a7 1b 63 cc 
f7 b4 d0 e0 56 cc bd f7 aa e4 5b 8c 74 c5 71 62 
aa d4 7c cf 0f 4f 69 4d d1 4b 39 af ed 3e 92 c3 
e5 9f 28 3c ed fb 75 29 8e f7 35 80 63 fa 35 a0 
af 72 ae eb 93 eb f8 d3 58 5f 9b db 4d 4d 5d 19 
b4 40 d0 ee 85 fa 52 cf a9 4e af ae 8e 0e 30 ce 
73 4b 5d 8c d0 41 13 d7 99 d6 ab b8 0f 80 e8 1e 
7d 38 7d 2e 3d dc 9b f5 a4 f1 ab d1 04 30 c1 9a 
30 b2 38 bb 1b ab 34 68 98 5b 2e d0 36 a0 6d 73 
86 11 cc 71 85 a7 3b 2d c9 d3 4f a7 d5 8a 9d 7d 
45 e4 e8 bb 57 54 4d 7f b0 49 3f 57 c3 3d 03 5e 
83 ce bb 73 90 df 49 30 a8 f7 c5 ce 9b 0d 45 12 
46 ee 71 82 15 cd 00 b4 69 ef 2b d9 27 e5 d3 12 
c1 a7 ec 61 29 6d 2c c4 16 ef 98 5a c2 d0 a6 f4 
2e f0 32 60 f0 eb 5d 2b 64 3c 39 c6 03 b5 b2 ac 
53 e2 f4 5f 16 19 ba dd ad 42 74 03 4c df bd f6 
b0 05 9b 8f c6 de 32 43 65 77 8f 5c 09 fb 71 41 
7d ad 7e 58 e9 72 1a f0 87 94 b8 b1 ba 3f 1f e2 
04 af 79 6d a7 f2 3e ae 52 00 f1 f4 6a de 3b 21 
f0 4f ae f3 00 0d ec 7d c2 58 16 c0 14 01 7c 7d 
fb 61 88 c3 05 83 ff d0 56 7b 3a 33 f9 01 52 8c 
e7 a2 f9 ca 1c fd 05 91 87 e7 41 10 2e 4f 52 51 
90 41 1d 1e 33 d1 9d 49 54 6d 91 b0 0d 8f 6e 0f 
cd a5 16 ed 01 0a 47 08 57 9c 69 d2 a2 34 58 84 
7d 2d 30 29 53 24 d2 2e bc 92 4c 3b 86 a8 50 db 
0e 35 1c 76 b4 c2 d1 7b 82 09 da 26 35 8b 61 76 
b9 5c af 84 bd d4 25 ae 72 f1 e0 3a cf d5 e8 01 
59 9e 90 ca 5d a0 89 c2 77 aa 9c 7d 78 8b b9 6e 
59 8e 93 27 51 73 d9 e8 cb 63 66 39 8b 8e 34 28 
28 51 84 77 22 20 0d 24 15 46 af ca a0 4e d7 46 
33 89 2c 16 4c b6 f6 c8 98 2d ea 0a d8 39 3b 50 
83 11 e7 a6 e3 37 5e d1 cf 29 b5 94 d7 ae 24 7c 
0f d3 61 8e 56 95 4b 60 c7 96 39 8a 75 fd 67 35 
36 94 32 0f b9 87 3b 27 5c 7c eb ef 30 e0 8a 38 
1e d3 32 ce e4 b6 9e 6c 70 43 66 c7 90 25 60 9b 
83 70 79 ce 18 eb 06 3b 7d 9a 77 3c f4 1a bf 46 
ce 45 cd 13 5b d7 29 03 
ssl_decrypt_record: allocating 872 bytes for decrypt data (old len 552)
Plaintext[840]:
3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 
2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 
66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 
6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 
22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 
78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 
2f 65 6e 76 65 6c 6f 70 65 2f 22 20 78 6d 6c 6e 
73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 
77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 
4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 
22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 
70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 
30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 3e 3c 
73 6f 61 70 3a 42 6f 64 79 3e 3c 5a 4d 43 53 53 
4f 41 43 75 73 74 50 72 6f 66 5f 46 72 6d 20 78 
6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 7a 6d 63 
73 61 64 61 70 74 6f 72 2f 73 65 72 76 69 63 65 
73 2f 43 75 73 74 50 72 6f 66 69 6c 65 2f 74 79 
70 65 73 22 3e 3c 41 70 70 6c 69 63 61 74 69 6f 
6e 20 78 6d 6c 6e 73 3d 22 22 3e 49 6d 70 6c 42 
61 73 65 3c 2f 41 70 70 6c 69 63 61 74 69 6f 6e 
3e 3c 53 4f 41 43 75 73 74 50 72 6f 66 52 65 63 
49 6e 20 78 6d 6c 6e 73 3d 22 22 3e 3c 4d 43 53 
49 64 52 65 63 3e 3c 4f 50 49 44 3e 61 35 39 32 
30 35 61 38 37 37 31 61 3c 2f 4f 50 49 44 3e 3c 
4f 50 5f 48 4f 53 54 5f 49 44 3e 49 31 36 35 38 
38 38 3c 2f 4f 50 5f 48 4f 53 54 5f 49 44 3e 3c 
4f 50 5f 48 4f 53 54 5f 50 41 53 53 57 4f 52 44 
3e 43 4f 52 31 4e 54 42 4b 3c 2f 4f 50 5f 48 4f 
53 54 5f 50 41 53 53 57 4f 52 44 3e 3c 4f 50 5f 
48 4f 53 54 5f 50 41 53 53 57 4f 52 44 45 6e 63 
72 79 70 74 3e 38 32 45 39 39 41 44 36 32 31 42 
35 38 43 43 37 41 39 45 39 39 45 41 44 33 33 34 
41 32 36 46 37 3c 2f 4f 50 5f 48 4f 53 54 5f 50 
41 53 53 57 4f 52 44 45 6e 63 72 79 70 74 3e 3c 
4f 50 5f 54 4f 4b 45 4e 3e 42 38 39 41 34 32 39 
35 41 45 39 35 32 44 46 33 45 32 32 37 35 39 44 
44 37 37 45 33 30 35 46 35 37 43 39 33 36 44 44 
33 30 45 32 44 32 42 31 37 3c 2f 4f 50 5f 54 4f 
4b 45 4e 3e 3c 4d 45 54 73 7a 42 6e 6b 4e 62 72 
3e 31 36 35 3c 2f 4d 45 54 73 7a 42 6e 6b 4e 62 
72 3e 3c 2f 4d 43 53 49 64 52 65 63 3e 3c 47 65 
6e 43 41 50 43 6f 6e 74 72 6f 6c 52 65 63 3e 3c 
43 4f 52 43 75 73 74 6f 6d 65 72 4b 65 79 3e 32 
33 32 34 39 34 3c 2f 43 4f 52 43 75 73 74 6f 6d 
65 72 4b 65 79 3e 3c 2f 47 65 6e 43 41 50 43 6f 
6e 74 72 6f 6c 52 65 63 3e 3c 2f 53 4f 41 43 75 
73 74 50 72 6f 66 52 65 63 49 6e 3e 3c 2f 5a 4d 
43 53 53 4f 41 43 75 73 74 50 72 6f 66 5f 46 72 
6d 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 
73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e a4 53 
82 42 57 05 69 c3 c5 79 33 ea 09 61 62 dc b6 b9 
9b 56 05 05 05 05 05 05 
ssl_decrypt_record found padding 5 final len 834
checking mac (len 814, version 300, ct 23 seq 2)
ssl_decrypt_record: mac ok
ssl_add_data_info: new data inserted data_len = 814, seq = 418, nxtseq =
1232
association_find: TCP port 44327 found (nil)
association_find: TCP port 443 found 0x86d1c80
dissect_ssl3_record decrypted len 814
decrypted app data fragment: <?xml version="1.0"
encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";><soap:Body
></soap:Body></soap:Envelope>
dissect_ssl3_record found association 0x86d1c80

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Robert D.
Scott
Sent: Monday, March 03, 2008 6:09 AM
To: 'Community support list for Wireshark'
Subject: Re: [Wireshark-users] tShark SSL Decryption Issue

A little more info on the server:
Is there only 1 Web listener on a single IP and all the sights use URI
information to direct http requests to the correct web?

The two packets you included from your debug file 1 & 18 are
"packet_from_server: is from server - FALSE". These did not come from
the IP
address you have configured in your "ssl_init keys string".


Robert 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Al Aghili
Sent: Friday, February 29, 2008 6:36 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] tShark SSL Decryption Issue


Hi,
We are trying to use tShark to decrypt SSL communication in our network.
We
have one web server with multiple sites on it. So we use a single
Certificate and it all works from port 443. tShark is installed on Linux
(SLUES) to be exact. We are able to see decrypted messages for some of
the
web sites on this web server but not all. When I run it in debug mode I
see
below error messages. 
 
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
 
What is interesting is that we always see messages to some of the web
sites
but some of the other ones it never gets decrypted as if its specific to
the
site even though they are all running on the same server and the same
port
using the same certificate.
 
This is an urgent issue for us so any help is greatly appreciated.
 
Thanks
Al
 
ssl_init keys string:
192.168.15.30,443,http,/home/application/cert.pem
ssl_init found host entry
192.168.15.30,443,http,/home/application/cert.pem
ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem
ssl_init private key file /home/application/cert.pem successfully loaded
association_add TCP port 443 protocol http handle 0x81e3288
association_find: TCP port 636 found 0x86868b0
ssl_association_remove removing TCP 636 - ldap handle 0x81f9250
association_add TCP port 636 protocol ldap handle 0x81f9250
association_find: TCP port 993 found 0x86868e8
ssl_association_remove removing TCP 993 - imap handle 0x81d1c18
association_add TCP port 993 protocol imap handle 0x81d1c18
association_find: TCP port 995 found 0x8686920
ssl_association_remove removing TCP 995 - pop handle 0x8255678
association_add TCP port 995 protocol pop handle 0x8255678
 
dissect_ssl enter frame #10 (first time)
ssl_session_init: initializing ptr 0xb48c2988 size 564
association_find: TCP port 40685 found (nil)
packet_from_server: is from server - FALSE
dissect_ssl server 192.168.15.30:443
dissect_ssl3_record found version 0x0301 -> state 0x10
dissect_ssl3_record: content_type 21
decrypt_ssl3_record: app_data len 22 ssl, state 0x10
association_find: TCP port 40685 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
dissect_ssl enter frame #18 (first time)
ssl_session_init: initializing ptr 0xb48c2de0 size 564
association_find: TCP port 40686 found (nil)
packet_from_server: is from server - FALSE
dissect_ssl server 192.168.15.30:443
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 143 ssl, state 0x00
association_find: TCP port 40686 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes,
remaining 148 
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
 
 
 
 
 

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users