Wireshark-users: Re: [Wireshark-users] Decoding SSL (first time)

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Wed, 13 Jan 2010 17:24:35 +0100
Are you sure the private key you are using in wireshark is indeed the private key that belongs to the certificate that the server is using?

Cheers,
    Sake


----- Original Message ----- From: "Stuart Marsden" <stuart@xxxxxxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, January 13, 2010 3:24 PM
Subject: [Wireshark-users] Decoding SSL (first time)


Hi,

trying to decode SSL for the first time - This is for provisioning  a
VoIP  Phone talking https to  Windows IIS

Private key looks ok,  but "decrypt_ssl3_record: no decoder available"
looks like the first error

Based on a previous post, I made sure wireshark was running before phone
rebooted.

any help greatly appreciated

Stuart

ssl_init keys string:
82.133.39.247,443,http,C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem
ssl_init found host entry
82.133.39.247,443,http,C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem
ssl_init addr '82.133.39.247' port '443' filename
'C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem'
password(only for p12 file) '(null)'
Private key imported: KeyID
26:C8:D0:04:16:66:92:7C:E5:48:3F:89:DE:98:E9:1F:...
ssl_init private key file
C:\cygwin\home\Administrator\polycom_ssl\secprov3.et-al.biz_private_key.pem
successfully loaded
association_add TCP port 443 protocol http handle 0410AD18

dissect_ssl enter frame #318 (first time)
ssl_session_init: initializing ptr 054E7040 size 564
association_find: TCP port 53499 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 82.133.39.247:443
 conversation = 054E6D68, ssl_session = 054E7040
 record: offset = 0, reported_length_remaining = 90
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 85 ssl, state 0x00
association_find: TCP port 53499 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 81 bytes,
remaining 90
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #318 (already visited)
 conversation = 054E6D68, ssl_session = 00000000
 record: offset = 0, reported_length_remaining = 90
dissect_ssl3_record: content_type 22
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 81 bytes,
remaining 90

dissect_ssl enter frame #319 (first time)
 conversation = 054E6D68, ssl_session = 054E7040
 record: offset = 0, reported_length_remaining = 894
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 889 ssl, state 0x11
association_find: TCP port 443 found 0479EEA8
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,
remaining 894
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17
required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 79 length 807 bytes,
remaining 894
dissect_ssl3_handshake iteration 0 type 14 offset 890 length 0 bytes,
remaining 894

dissect_ssl enter frame #321 (first time)
 conversation = 054E6D68, ssl_session = 054E7040
 record: offset = 0, reported_length_remaining = 186
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134 ssl, state 0x17
association_find: TCP port 53499 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes,
remaining 139
pre master encrypted[128]:
1b d8 4a 14 29 9b cf 00 6e 00 80 74 3f 9c fc ba
bf 13 35 dd 95 7a da d3 7e 05 31 55 af c2 c0 ac
bb 5a 36 fc 2c 91 c9 01 7f 6f 61 41 ab 5f 02 66
22 52 00 6f 3f 3b e5 ba d3 5b 65 44 46 5e d4 66
ab 95 fd 22 e7 fe df d7 cf 24 7e 75 c1 75 99 cb
92 77 e7 f4 6c a6 87 87 ce 84 8f 1b 96 da cf 02
cd f3 9d b1 83 e9 3b a3 1f a3 dc 86 cc 74 9f 49
bb 9e 51 32 2c e0 62 82 1c 9f 4a 4d 24 98 de 0d
ssl_decrypt_pre_master_secret:RSA_private_decrypt
pcry_private_decrypt: stripping 0 bytes, decr_len zd
decrypted_unstrip_pre_master[128]:
57 7b 54 a0 43 99 68 22 78 a5 fc 7d 6e f4 da 9f
a8 e8 7c 3f e9 93 02 de ab 17 2f 1d f5 73 f5 f1
a5 8a 1d f7 ff 75 58 8a 65 49 7a 36 5a 01 cd a3
72 d9 e1 5d 2d f8 6f a3 ce 86 c9 5c d7 5a 42 77
06 fe 8b ac 34 7d 3a 0d 07 d1 bf 26 ef 0e 35 39
88 29 75 53 5b d8 91 1a 64 a3 a0 f8 71 71 77 f0
9f 68 fd 81 c6 ec 77 ef 24 af f8 a0 dc c3 9b 5f
a4 52 ec db 9a 2c 30 7a 94 39 8e eb 68 e7 38 35
ssl_decrypt_pre_master_secret wrong pre_master_secret length (128,
expected 48)
dissect_ssl3_handshake can't decrypt pre master secret
 record: offset = 139, reported_length_remaining = 47
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
association_find: TCP port 53499 found 00000000
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
 record: offset = 145, reported_length_remaining = 41
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 36 ssl, state 0x17
association_find: TCP port 53499 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 240 offset 150 length 3164633
bytes, remaining 186

dissect_ssl enter frame #322 (first time)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe