Wireshark-users: Re: [Wireshark-users] Difficulties decrypting SSL

From: "Feeny, Michael (GWM-CAI)" <michael_feeny@xxxxxx>
Date: Mon, 28 Apr 2008 07:29:21 -0400
Title: Difficulties decrypting SSL

Thx for the response!  I’m looking VERY closely at this (eyes bleery L), and I still can’t figure out what I’m doing wrong.  I still don’t see the HTTP calls that are being made inside this SSL connection.

 

I’m reasonably sure I have the right Certificate.  I see the Certificate in the SSL handshake, but perhaps it’s not the entire Certificate?  I’ve summarized the important (I think) SSL log entries as Wireshark attempts to decrypt this connection.  Any help – or pointers to docs that would help me interpret the SSL log – would be a GREAT help.  (I can provide more data – I just didn’t want to clutter up this email unnecessarily.)

 

Thx tons,

Michael Feeny

 

 

Frame Contents SSL Log Entry

 

CLIENT HELLO              is from server – TRUE                          

                                    Can’t find private key for this server!     

 

SERVER HELLO           is from server – TRUE

                                    No decoder available

                                    Found cipher

                                    Not enough data to generate key

 

CERTIFICATE                No decoder available

 

CLIENT KEY EXCHG     No decoder available

                                    found SSL_HND_CLIENT_KEY_EXCHG

                                    can't find private key

 

CHANGE CIPHER SPEC           No decoder available

 

REMAINING PKTS         No decoder available

Michael Feeny
Global Wealth Management Technology
Network and Security Integration
Office: 609-274-2761
Mobile:  484-995-1745
AOL IM: feenyman99
Pager:  888-merril0

 

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Al Aghili
Sent: Wednesday, April 23, 2008 1:00 PM
To: 'Community support list for Wireshark'
Subject: Re: [Wireshark-users] Difficulties decrypting SSL

Hi Michael,

This usually means that tshark is not seeing the whole SSL Handshake. Either because it started looking at the session in middle of communication or the SSL session was cached for some reason.

 

Al

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Feeny, Michael (GWM-CAI)
Sent: Wednesday, April 23, 2008 10:56 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Difficulties decrypting SSL

 

All,

 

I have dug deeper and found a lot of "NO SESSION KEY" errors in the SSL log (see below).  Can anyone suggest how to resolve these???

 

Thx again!

Michael

 

ssl_decrypt_pre_master_secret wrong pre_master_secret lenght (128, expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 56 ssl, state 0x17
association_find: TCP port 4243 found 00000000
packet_from_server: is from server 0
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 18 offset 148 length 15867777 bytes, remaining 204

 

dissect_ssl enter frame #14 (first time)
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 56 ssl, state 0x17
association_find: TCP port 8080 found 048F7968
packet_from_server: is from server 1
decrypt_ssl3_record: no session key
dissect_ssl3_handshake iteration 1 type 125 offset 11 length 3761175 bytes, remaining 67

 

dissect_ssl enter frame #15 (first time)
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 298 ssl, state 0x17
association_find: TCP port 4243 found 00000000
packet_from_server: is from server 0
decrypt_ssl3_record: no session key
association_find: TCP port 4243 found 00000000
association_find: TCP port 8080 found 048F7968

 

dissect_ssl enter frame #17 (first time)

 

dissect_ssl enter frame #22 (first time)
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 6835 ssl, state 0x17
association_find: TCP port 8080 found 048F7968
packet_from_server: is from server 1
decrypt_ssl3_record: no session key
association_find: TCP port 8080 found 048F7968

Michael Feeny
Global Wealth Management Technology
Network and Security Integration
Office: 609-274-2761
Mobile:  484-995-1745
AOL IM: feenyman99
Pager:  888-merril0

 

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Feeny, Michael (GWM-CAI)
Sent: Wednesday, April 23, 2008 8:43 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Difficulties decrypting SSL

Hello. I have captured traffic, via the Opnet Capture Agent, on a workstation. The packets consists mostly of SSL traffic that is "tunnelled" through an HTTP Proxy server. That is, the workstation issues HTTP "CONNECT" requests to create SSL tunnels thru the Proxy Server.  There are multiple URLs, and thus multiple RSA Keys involved.

I would like to decrypt this traffic, so that I can analyze the various HTTP calls made within the SSL tunnels.  I have the .PEM files necessary to do this, but I'm not successful yet.  After entering the RSA Keys and SSL log info into the Edit/Preferences box and hitting Apply, it seems that some of the traffic is decrypted.  I now see "200 OK" messages that are returned to the workstation, but not the HTTP requests that generated those responses.  The HTTP requests are still encrypted. When I look at the request packets, I see the HTTP Connect call, and then the SSL handshake, but the rest of the conversation is still encrypted.

Below is what I entered into the "RSA Keys list:" box (with the IP's sanitized).  Originally I had only the first set.  Then, when I saw decrypted packets in only 1 direction, I added the other set (to no avail). 

Below that, I've also included the first several lines of the SSL debug file (not the whole file, which is huge - 4.5MB), in case that is useful.

Any advice/suggestions would be greatly appreciated!
Michael Feeny
Merrill Lynch
RSA KEYS LIST
<Proxy IP>,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; <Proxy IP>,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; <Proxy IP>,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem; <Proxy IP>,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem; <Proxy IP>,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem;

<Wkstn IP>,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; <Wkstn IP>,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; <Wkstn IP>,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem; <Wkstn IP>,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem; <Wkstn IP>,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

SSL DEBUG FILE
ssl_association_remove removing TCP 8080 - http handle 026212C0
ssl_init keys string:
199.43.68.161,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; 146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; 146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem; 146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem; 146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem;

169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; 169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem; 169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem; 169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem; 169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

ssl_init found host entry 199.43.68.161,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init addr 199.43.68.161 port 8080 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem successfully loaded

association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry  146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem successfully loaded

association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry  146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem

ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem successfully loaded

association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry  146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem

ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem successfully loaded

association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry  146.125.199.87,8080,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

ssl_init addr 146.125.199.87 port 8080 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem successfully loaded

association_add TCP port 8080 protocol http handle 026212C0
ssl_init found host entry
ssl_init entry malformed can't find port in ''
ssl_init found host entry 169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem successfully loaded

association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry  169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-qa-broadcortapps.pem successfully loaded

association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry  169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem

ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui2-fxqa.pem successfully loaded

association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry  169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem

ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\pcoeui2-qa-broadcortapps.pem successfully loaded

association_add TCP port 4257 protocol http handle 026212C0
ssl_init found host entry  169.242.132.26,4257,http,\\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

ssl_init addr 169.242.132.26 port 4257 filename \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem

ssl_init private key file \\phccaims001\aim\AIM Projects\RCC_PE_Test_NAP_Apr_2008\Certs\rccui-qa-broadcortapps.pem successfully loaded

association_add TCP port 4257 protocol http handle 026212C0
association_find: TCP port 443 found 0293E2D8
ssl_association_remove removing TCP 443 - http handle 026212C0
association_add TCP port 443 protocol http handle 026212C0
association_find: TCP port 636 found 028EF3A0
ssl_association_remove removing TCP 636 - ldap handle 02653548
association_add TCP port 636 protocol ldap handle 02653548
association_find: TCP port 993 found 028EF728
ssl_association_remove removing TCP 993 - imap handle 0235B3D0
association_add TCP port 993 protocol imap handle 0235B3D0
association_find: TCP port 995 found 028EE008
ssl_association_remove removing TCP 995 - pop handle 026AF770
association_add TCP port 995 protocol pop handle 026AF770

dissect_ssl enter frame #602 (already visited)
dissect_ssl3_record: content_type 23
association_find: TCP port 8080 found 07F623A0
dissect_ssl3_record decrypted len 25
dissect_ssl3_record found association 07F623A0
decrypted app data fragment: HTTP/1.1 100 Continue 

Michael Feeny
Global Wealth Management Technology
Network and Security Integration
Office: 609-274-2761
Mobile:  484-995-1745
AOL IM: feenyman99
Pager:  888-merril0


This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.