Wireshark-users: Re: [Wireshark-users] Decrypting SSL traffic through tshark

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 12 Nov 2010 15:41:33 +0100
On 12 nov 2010, at 15:11, sahaj pandey wrote:

> [...]
> again i am not able to get decrypted data. i am seeing a line as "no decoder available".
> 
> the log file have this kind of entries,
> 
> [...]
> ssl_init private key file server.key successfully loaded

This is good, the key can be loaded...

> dissect_ssl enter frame #66 (first time)
>   conversation = 0xb68257d0, ssl_session = 0xb68259a8
> dissect_ssl3_record found version 0x0301 -> state 0x11
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 58 ssl, state 0x11
> association_find: TCP port 443 found 0x9940730
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
> dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
> dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
> dissect_ssl3_hnd_srv_hello not enough data to generate key (required 0x37)
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 758 ssl, state 0x17
> association_find: TCP port 443 found 0x9940730
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 11 offset 68 length 754 bytes, remaining 826
> dissect_ssl3_record: content_type 22
> decrypt_ssl3_record: app_data len 4 ssl, state 0x17
> association_find: TCP port 443 found 0x9940730
> packet_from_server: is from server - TRUE
> decrypt_ssl3_record: using server decoder
> decrypt_ssl3_record: no decoder available
> dissect_ssl3_handshake iteration 1 type 14 offset 831 length 0 bytes, remaining 835
> ------
> 
> what can i do further to get it decrypted.?

You have to look more down in the debug file. This is the packt from the server that contains the ServerHello and from the looks of it also the certificate. What wireshark needs is the ClientKeyExchange  message that contains the encrypted Pre Master Secret (PMS). This will look something like this in the debug file:

dissect_ssl enter frame #9 (first time)
  conversation = 0x105a11880, ssl_session = 0x105a11c30
  record: offset = 0, reported_length_remaining = 198
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 134, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139
pre master encrypted[128]:
76 1b 1b ea c3 5e 59 de 9a 3b b9 f7 4e bf 91 09
b7 38 e8 ad 34 6c 3c e8 26 f8 e9 f6 5d 82 a9 a5

and it should eventually say something like:

dissect_ssl3_handshake session keys successfully generated

Have a look at the SSL troubleshooting presentation I gave at Sharkfest'09 for some more info, if that does not help, please post the part of the ssl-debug file up till the frame where the first "ApplicationData" apears in the tracefile.

Powerpoint: https://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps
Video: http://www.lovemytool.com/blog/2009/06/sake_blok_11.html

Cheers,


Sake