Wireshark-users: [Wireshark-users] Trouble decrypting FTP over explicit TLS/SSL

From: Ray Van Dolson <rvandolson@xxxxxxxx>
Date: Tue, 29 Jul 2008 16:10:38 -0700
Hi, I'm trying to investigate an FTP session using explicit TLS/SSL
(connects via port 21 using AUTH TLS command vs using a dedicated
port).

I'm using the following to direct wireshark to decrypt the SSL:

  <ftp server ip>,21,ftp,/path/to/private/key

This definitely seems to change the output some, but I'm not able to
see the FTP commands being passed back and forth:

association_add TCP port 21 protocol ftp handle (nil)
association_add could not find handle for protocol 'ftp', try to find 'data' dissector

This would seem to be a key error?  Also later on, I see stuff like the
following:

dissect_ssl enter frame #13 (first time)
  conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x13
association_find: TCP port 1213 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139
dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 0x13
dissect_ssl3_handshake not enough data to generate key (required 0x17)

dissect_ssl enter frame #14 (first time)
  conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 1213 found (nil)
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT

dissect_ssl enter frame #15 (first time)
  conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 272 ssl, state 0x13
association_find: TCP port 1213 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 129 offset 5 length 10001125 bytes, remaining 277

dissect_ssl enter frame #17 (first time)
  conversation = 0xb2b9a870, ssl_session = 0xb2b9aa98
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 21 found 0xba587cf8
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48 ssl, state 0x13
association_find: TCP port 21 found 0xba587cf8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 104 offset 11 length 7276346 bytes, remaining 59

The unable to generate key errors I'm used to seeing when I'm using a
cipher that does DH key exchange -- but in this case I am sure I'm
using RSA key exchange (AES128-SHA cipher).

Any ideas why this isn't working?  Is it the starttls nature of the
explicit TLS?  If I use start_tls instead of the port number it still
doesn't help (I guess this isn't exactly STARTTLS either).

Thanks,
Ray