Wireshark-users: Re: [Wireshark-users] Can't decrypt "snakeoil2" sample SSL session from wiki

From: Bas Nedermeijer <baswire@xxxxxxxx>
Date: Thu, 13 Sep 2012 23:16:50 +0200
Hi,

I have tried the test/suite-decryption.sh (from trunk-1.8.2). It seems to fail 
on my system (gentoo 64-bit).



Info of tshark  (I do see an undefined symbol error, not sure if it is related)
===========================================
../tshark -v
Could not open file: 'AlcatelLucent.xml', error: No such file or directory
/usr/src/wireshark/epan/.libs/libwireshark.so.2: undefined symbol: 
py_create_dissector_handle
TShark 1.8.3 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.4, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), without SMI, without c-ares, without ADNS, with Lua 5.1,
with Python 2.7.3, with GnuTLS 2.12.18, with Gcrypt 1.5.0, with MIT Kerberos,
without GeoIP.

Running on Linux 3.5.3-gentoo, with locale en_US.utf8, with libpcap version
1.1.1, with libz 1.2.7.

Built using gcc 4.6.3.
===========================================



I did enable the ssl-debug-file. Contents:

===========================================
Private key imported: KeyID 
dd:29:74:15:7b:e6:76:47:f5:f0:68:3e:8a:55:61:62:...
ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '443' filename 
'/usr/src/wireshark/test/keys/rsasnakeoil2.key' password(only for p12 file) ''
ssl_init private key file /usr/src/wireshark/test/keys/rsasnakeoil2.key 
successfully loaded.
association_add TCP port 443 protocol http handle 0xb47af0
===========================================



Test suite output:

============================================

./test.sh 
----------------------------------------------------------------------

### Test suite: All ###

Subitems:
---------
1  Suite: Prerequisites (2 subitems)
2  Suite: Command line options (6 subitems)
3  Suite: File I/O (1 subitems)
4  Suite: Capture (3 subitems)
5  Suite: Unit tests (3 subitems)
6  Suite: File formats (1 subitems)
7  Suite: Decryption (1 subitems)

1-7  : Select item
Enter: Test All
Q    : Quit

----------------------------------------------------------------------

### Test suite: Decryption ###

Subitems:
---------
1  Suite: TShark decryption (4 subitems)

1-1  : Select item
Enter: Test All
U    : Up
Q    : Quit


----------------------------------------------------------------------

### Decryption ###

1  Suite: TShark decryption
1.1 Step: IEEE 802.11 WPA PSK Decryption  Remark: ../80211_keys exists. One or 
more tests may fail.
  Remark: ../dtlsdecrypttablefile exists. One or more tests may fail.
  Remark: ../ssl_keys exists. One or more tests may fail.
Could not open file: 'AlcatelLucent.xml', error: No such file or directory
 OK
1.2 Step: DTLS Decryption  Remark: ../80211_keys exists. One or more tests may 
fail.
  Remark: ../dtlsdecrypttablefile exists. One or more tests may fail.
  Remark: ../ssl_keys exists. One or more tests may fail.
Could not open file: 'AlcatelLucent.xml', error: No such file or directory
1

"DTLS Decryption" Failed!
Failed to decrypt DTLS

===================================================

I have added a echo which outputs the exitcode of the command (It is 1 ).

The same error occurs if I start the SSL test first (instead of the DTLS).

Removing the ../ssl_keys ../dtlsdecrypttablefile  ../80211_keys   has no effect.


The configure command of my build:

./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu 
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --
sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-
dependency-tracking --disable-setuid-install --enable-setcap-install --enable-
wireshark --enable-ipv6 --disable-profile-build --with-libcap --with-gcrypt --
without-geoip --with-krb5 --with-lua --with-dumpcap-group=wireshark --with-
pcap --without-portaudio --with-python --without-libsmi --with-gnutls --with-
zlib --disable-extra-gcc-checks --disable-usr-local --
sysconfdir=/etc/wireshark --without-adns --without-c-ares



I am unable to downgrade my gnutls library, I am afraid it will break too much 
on my system.






Kind regards,

Bas Nedermeijer











On Monday 10 September 2012 13:45:19 Gerald Combs wrote:
> On 9/10/12 1:32 PM, Sake Blok wrote:
> > Usually that means that you are using a private key that does not match
> > the certificate. But it is the 3rd time I hear problems (on Linux) with
> > decrypting the traffic with a key that is indeed matching the
> > certificate. It might be the version of your SSL libraries that has a
> > bug. Or Wireshark has a bug in the linux version. Could you file a
> > bugreport on https://bugs.wireshark.org?
> For what it's worth the Buildbot tests decryption of rsasnakeoil2.cap
> via test/suite-decryption.sh. We currently run tests on Windows XP,
> Windows 7, Ubuntu 12.04 and Solaris 10.
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe