Wireshark-users: Re: [Wireshark-users] need help to decrypt SSL packets

From: Arnold Wang <arnold.wang@xxxxxxxxxx>
Date: Thu, 5 Nov 2009 13:43:18 -0800

That’s it. Wireshark loads the key now.

[awang@arnoldw tmp]$ more ssl.debug

ssl_init keys string:

10.32.100.25,990,ftps,/tmp/esd.key

ssl_init found host entry 10.32.100.25,990,ftps,/tmp/esd.key

ssl_init addr '10.32.100.25' port '990' filename '/tmp/esd.key' password(only fo

r p12 file) '(null)'

Private key imported: KeyID 67:E9:F6:62:7A:5C:E8:23:5D:32:9D:E2:AB:A6:74:C1:...

ssl_init private key file /tmp/esd.key successfully loaded

 

Thank you very much!

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Thursday, November 05, 2009 12:59 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] need help to decrypt SSL packets

 

OK, I have found the problem (I think). The header "-----BEGIN PRIVATE KEY-----" differs from the header "-----BEGIN RSA PRIVATE KEY-----". So I googled and found http://www.cryptosys.net/pki/rsakeyformats.html on which the following can be found:

 

Private key formats supported (unencrypted)

 

    * PKCS#1 RSAPrivateKey** (PEM header: BEGIN RSA PRIVATE KEY)
    * PKCS#8 PrivateKeyInfo* (PEM header: BEGIN PRIVATE KEY)

So, a little fiddling with openssl made it possible for me to reproduce your problem by converting my (PKCS#1) key to PKCS#8 format. It gives the same error message. To convert the PKCS#8 key to PKCS#1, you can use:

 

openssl pkcs8 -in esd.key -out esd-new.key -nocrypt

 

Now you should be able to use esd-new.key in wireshark to decrypt your traffic...

 

(OpenSSL reads PKCS#8 format on the fly and GnuTLS does not support it apparently)

 

Hope this helps,

Cheers,

 

 

Sake

 

 

----- Original Message -----

From: Arnold Wang

Sent: Thursday, November 05, 2009 9:01 PM

Subject: Re: [Wireshark-users] need help to decrypt SSL packets

 

I’m running Fedora 11 and the GnuTLS comes with it is 2.6.6. When I tried to read the key using the “certool”, it seems OK.

[awang@arnoldw tmp]$ certtool -k --infile esd.key

Public Key Info:

                Public Key Algorithm: RSA

modulus:

                ee:61:de:e0:3e:2a:a3:c7:ff:a9:15:f4:34:42:11:

                e1:50:14:79:b7:c5:83:ae:38:be:37:b4:04:9a:65:

…..

public exponent:

                01:00:01:

private exponent:

                32:19:e3:cb:e1:84:f8:b3:3a:2a:81:70:b7:e3:02:

                fb:05:e7:a7:c5:55:ff:dd:08:14:02:85:15:4a:95:

…..

prime1:

                fe:27:46:34:a7:6f:0c:4d:a9:25:e5:a5:24:a3:f5:

                cc:9c:2e:6d:0a:67:38:bc:59:df:00:77:0e:07:95:

….

prime2:

                f0:1d:43:17:d1:d7:f8:9b:d1:e5:c3:b2:24:e8:78:

                1e:ff:51:36:e8:3d:dc:83:00:d3:51:9e:be:4a:ed:

…..

coefficient:

                0b:e1:5c:81:b2:9b:f0:74:ab:79:b3:9c:02:66:38:

                02:c3:a0:55:20:32:57:18:e0:ca:26:e7:8d:88:c1:

….

Public Key ID: 67:E9:F6:62:7A:5C:E8:23:5D:32:9D:E2:AB:A6:74:C1:2A:BC:12:D4

 

-----BEGIN RSA PRIVATE KEY-----

MIIJKAIBAAKCAgEA7mHe4D4qo8f/qRX0NEIR4VAUebfFg644vje0BJplC4LhPjCY

pLuHXt+RI65UeT5Fur6Gfv8aSozUL6qYumCPyMwRIEuG+tc63gTOefDhPdl87j/J

…..

6Coe5yaVM/j5UPWLjlLUl7mnUDKrKoqWGPQsoHkA/MWTKKX3K2/qG4nxma4Hz9ym

KU0+ZlMZXc/6qT3/grPqb4Ac82LuACGgjBvvJanktnA9s/Izmr0qJ0XDnzM=

-----END RSA PRIVATE KEY-----

 

I also tried to display the key using “od” and the only escape code is can tell is “\n”. I have pasted partial output here, unfortunately I can’t show all of them.

 

[awang@arnoldw tmp]$ od -c /tmp/esd.key

0000000   -   -   -   -   -   B   E   G   I   N       P   R   I   V   A

0000020   T   E       K   E   Y   -   -   -   -   -  \n   M   I   I   J

0000040   Q   g   I   B   A   D   A   N   B   g   k   q   h   k   i   G

0000060   9   w   0   B   A   Q   E   F   A   A   S   C   C   S   w   w

0000100   g   g   k   o   A   g   E   A   A   o   I   C   A   Q   D   u

0000120   Y   d   7   g   P   i   q   j   x   /   +   p   F   f   Q   0

0000140   Q   h   H   h   U   B   R   5  \n   t   8   W   D   r   j   i

…….

0006040   5   s   K  \n   p   a   D   o   K   h   7   n   J   p   U   z

0006060   +   P   l   Q   9   Y   u   O   U   t   S   X   u   a   d   Q

0006100   M   q   s   q   i   p   Y   Y   9   C   y   g   e   Q   D   8

0006120   x   Z   M   o   p   f   c   r   b   +   o   b   i   f   G   Z

0006140   r   g   f   P   3   K   Y   p   T   T   5   m   U   x   l   d

0006160  \n   z   /   q   p   P   f   +   C   s   +   p   v   g   B   z

0006200   z   Y   u   4   A   I   a   C   M   G   +   8   l   q   e   S

0006220   2   c   D   2   z   8   j   O   a   v   S   o   n   R   c   O

0006240   f   M   w   =   =  \n   -   -   -   -   -   E   N   D       P

0006260   R   I   V   A   T   E       K   E   Y   -   -   -   -   -  \n

0006300

From: Arnold Wang
Sent: Thursday, November 05, 2009 11:44 AM
To: Community support list for Wireshark
Subject: RE: [Wireshark-users] need help to decrypt SSL packets

 

Thanks for pointing out that the app is using GnuTLS. Let me confirm the key using the GnuTLS utilities first.

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Thursday, November 05, 2009 11:20 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] need help to decrypt SSL packets

 

Well, wireshark uses GnuTLS instead of OpenSSL, I'm not sure which version of GnuTLS was the first one to include 4K key support, but it must have been supporting it for a while as my tshark (1.3.0) is built with version 2.0.4 (which is 2 years old) and it is capable of importing 4K keys.

 

If I look at your file size (3264 bytes) and compare it the the size of my 4K key file (3243 bytes), there must be some extra data in your file that OpenSSL can skip, but GnuTLS can't. It can't be an extra CR after each line, as that would have added 51 extra characters instead of 21.

 

Could it be a paging message or maybe coloring escape codes? Try using "od -c /tmp/esd.key" to see whether there are escape codes in the file that "more" might use instead of display.

 

I looked at the source code and the only place that this error message can be generated is when the function "gnutls_x509_privkey_import" fails. At this point in the code, the key has already been succesfully read from file. So it's definately not a permission or IO issue, it's a conversion issue.

 

Hope this helps,

Cheers,

 

 

Sake

 

----- Original Message -----

From: Arnold Wang

Sent: Thursday, November 05, 2009 6:39 PM

Subject: Re: [Wireshark-users] need help to decrypt SSL packets

 

I used ssl decryption before and this is the first time run into this particular problem, couldn’t read the key file. This is the first time I tried to read a 4096-bit key. However since openssl seems have no problem reading it, I would assume wireshark should be able to as well.

The permission seems ok.

[awang@arnoldw tmp]$ ls -l /tmp/esd.key

-rw-r--r--. 1 awang users 3264 2009-11-05 09:28 /tmp/esd.key

[awang@arnoldw tmp]$ ls -l `which wireshark`

lrwxrwxrwx. 1 root root 13 2009-11-04 14:23 /usr/bin/wireshark -> consolehelper

[awang@arnoldw tmp]$ ls -l `which openssl`

-rwxr-xr-x. 1 root root 444640 2009-05-21 09:47 /usr/bin/openssl

BTW, the error happens before I even open the trace file so it has nothing to do with it. Unfortunately, I can’t upload the whole private key since it’s for one of our public production site.

Thanks for the help.

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Wednesday, November 04, 2009 2:56 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] need help to decrypt SSL packets

 

Seems you are doing the right thing.

 

Are you able to decrypt ssl traffic in other tracefiles  with other keys? Or was this your first try?

 

Could you share the output of:

 

ls -l /tmp/esd.key

ls -l `which wireshark`

ls -l `which openssl`

 

.. to see whether it could be a permission problem?

 

And are you able to share the tracefile and key or are they from a production environment?

 

Cheers,

    Sake

----- Original Message -----

From: Arnold Wang

Sent: Tuesday, November 03, 2009 9:07 PM

Subject: [Wireshark-users] need help to decrypt SSL packets

 

I’m running Wireshark 1.1.3 comes with Fedora 11. When I tried to decode the captured FTPS traffics, I’m running into trouble to load the private key into Wireshark. I got the following error message when I started Wireshark:

ssl_init keys string:

10.x.100.25,990,ftps,/tmp/esd.key

ssl_init found host entry 10.x.100.25,990,ftps,/tmp/esd.key

ssl_init addr '10.x.100.25' port '990' filename '/tmp/esd.key' password(only fo

r p12 file) '(null)'

ssl_load_key: can't import pem data

As far as I can tell, the private key looks OK.

[awang@mars tmp]$ more esd.key

-----BEGIN PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDuYd7gPiqjx/+pFfQ0QhHhUBR5

t8WDrji+N7QEmmULguE+MJiku4de35EjrlR5PkW6voZ+/xpKjNQvqpi6YI/IzBEgS4b61zreBM55

….

paDoKh7nJpUz+PlQ9YuOUtSXuadQMqsqipYY9CygeQD8xZMopfcrb+obifGZrgfP3KYpTT5mUxld

z/qpPf+Cs+pvgBzzYu4AIaCMG+8lqeS2cD2z8jOavSonRcOfMw==

-----END PRIVATE KEY-----

[awang@mars tmp]$ openssl rsa -inform pem -in esd.key -noout -text

Private-Key: (4096 bit)

modulus:

    00:ee:61:de:e0:3e:2a:a3:c7:ff:a9:15:f4:34:42:

    11:e1:50:14:79:b7:c5:83:ae:38:be:37:b4:04:9a:

….

What did I miss?

Thanks.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe