Re: [Wireshark-users] tShark SSL Decryption Issue
Hi Al, There are a few common reasons for Wireshark not being able to decrypt ssl traffic. First of all, Wireshark might not be able to read the key (either it's not there or it's in the wrong format or it might be protected with a passphrase). In your logfile you have the message ssl_init private key file /home/application/cert.pem successfully loaded so this is not the problem you are facing. Secondly, Wireshark needs to see the whole SSL handshake to be able to calculate all the keys for the ssl session. If you only see ClientHello, ServerHello, ChangeCipherspec... and not ClientHello, ServerHello, Certificate, ServerHelloDone... then the ssl-session is reused and Wireshark can't decrypt it (unless the ssl-session with the full ssl handshake is also in the trace). In order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL. A third reason is that many ssl clients nowadays use a cipher that uses Diffie Hellman to negotiate the secret keys. When DH is not used, the private key of the server is used as seed for the negotiation of the secret keys. The combination of the whole ssl handshake and the private key makes it possible for Wireshark to calculate the secret keys. When DH is used, random data is used in negotiating the secret keys. This prevents Wireshark from decrypting the traffic as it can't calculate the secret keys used for the encryption. Look at the Cipher Suite in the ServerHello message, if it contains DH or DHE, then this is the issue you are facing. You can configure your ssl client or ssl server to not accept DH ciphers for testing purposes. Hope this helps, Cheers, Sake On Tue, Mar 04, 2008 at 08:43:51AM -0700, Al Aghili wrote: Hi, Does anyone have any ideas about this? Could it have to do with the client certificates? Any help is appreciated as this is an urgent issue for us. Thanks Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. Scott Sent: Monday, March 03, 2008 6:09 AM To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] tShark SSL Decryption Issue A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 18 are packet_from_server: is from server - FALSE. These did not come from the IP address you have configured in your ssl_init keys string. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 - state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data
Re: [Wireshark-users] tShark SSL Decryption Issue
Sake, Thank you very much. I'll pursue the third reason and see if that makes a difference. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: Tuesday, March 04, 2008 9:46 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] tShark SSL Decryption Issue Hi Al, There are a few common reasons for Wireshark not being able to decrypt ssl traffic. First of all, Wireshark might not be able to read the key (either it's not there or it's in the wrong format or it might be protected with a passphrase). In your logfile you have the message ssl_init private key file /home/application/cert.pem successfully loaded so this is not the problem you are facing. Secondly, Wireshark needs to see the whole SSL handshake to be able to calculate all the keys for the ssl session. If you only see ClientHello, ServerHello, ChangeCipherspec... and not ClientHello, ServerHello, Certificate, ServerHelloDone... then the ssl-session is reused and Wireshark can't decrypt it (unless the ssl-session with the full ssl handshake is also in the trace). In order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL. A third reason is that many ssl clients nowadays use a cipher that uses Diffie Hellman to negotiate the secret keys. When DH is not used, the private key of the server is used as seed for the negotiation of the secret keys. The combination of the whole ssl handshake and the private key makes it possible for Wireshark to calculate the secret keys. When DH is used, random data is used in negotiating the secret keys. This prevents Wireshark from decrypting the traffic as it can't calculate the secret keys used for the encryption. Look at the Cipher Suite in the ServerHello message, if it contains DH or DHE, then this is the issue you are facing. You can configure your ssl client or ssl server to not accept DH ciphers for testing purposes. Hope this helps, Cheers, Sake On Tue, Mar 04, 2008 at 08:43:51AM -0700, Al Aghili wrote: Hi, Does anyone have any ideas about this? Could it have to do with the client certificates? Any help is appreciated as this is an urgent issue for us. Thanks Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. Scott Sent: Monday, March 03, 2008 6:09 AM To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] tShark SSL Decryption Issue A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 18 are packet_from_server: is from server - FALSE. These did not come from the IP address you have configured in your ssl_init keys string. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl
Re: [Wireshark-users] tShark SSL Decryption Issue
A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 18 are packet_from_server: is from server - FALSE. These did not come from the IP address you have configured in your ssl_init keys string. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 - state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 22 ssl, state 0x10 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #18 (first time) ssl_session_init: initializing ptr 0xb48c2de0 size 564 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 143 ssl, state 0x00 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes, remaining 148 dissect_ssl3_hnd_hello_common found CLIENT RANDOM - state 0x01 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tShark SSL Decryption Issue
5f 50 41 53 53 57 4f 52 44 3e 3c 4f 50 5f 48 4f 53 54 5f 50 41 53 53 57 4f 52 44 45 6e 63 72 79 70 74 3e 38 32 45 39 39 41 44 36 32 31 42 35 38 43 43 37 41 39 45 39 39 45 41 44 33 33 34 41 32 36 46 37 3c 2f 4f 50 5f 48 4f 53 54 5f 50 41 53 53 57 4f 52 44 45 6e 63 72 79 70 74 3e 3c 4f 50 5f 54 4f 4b 45 4e 3e 42 38 39 41 34 32 39 35 41 45 39 35 32 44 46 33 45 32 32 37 35 39 44 44 37 37 45 33 30 35 46 35 37 43 39 33 36 44 44 33 30 45 32 44 32 42 31 37 3c 2f 4f 50 5f 54 4f 4b 45 4e 3e 3c 4d 45 54 73 7a 42 6e 6b 4e 62 72 3e 31 36 35 3c 2f 4d 45 54 73 7a 42 6e 6b 4e 62 72 3e 3c 2f 4d 43 53 49 64 52 65 63 3e 3c 47 65 6e 43 41 50 43 6f 6e 74 72 6f 6c 52 65 63 3e 3c 43 4f 52 43 75 73 74 6f 6d 65 72 4b 65 79 3e 32 33 32 34 39 34 3c 2f 43 4f 52 43 75 73 74 6f 6d 65 72 4b 65 79 3e 3c 2f 47 65 6e 43 41 50 43 6f 6e 74 72 6f 6c 52 65 63 3e 3c 2f 53 4f 41 43 75 73 74 50 72 6f 66 52 65 63 49 6e 3e 3c 2f 5a 4d 43 53 53 4f 41 43 75 73 74 50 72 6f 66 5f 46 72 6d 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e a4 53 82 42 57 05 69 c3 c5 79 33 ea 09 61 62 dc b6 b9 9b 56 05 05 05 05 05 05 ssl_decrypt_record found padding 5 final len 834 checking mac (len 814, version 300, ct 23 seq 2) ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 814, seq = 418, nxtseq = 1232 association_find: TCP port 44327 found (nil) association_find: TCP port 443 found 0x86d1c80 dissect_ssl3_record decrypted len 814 decrypted app data fragment: ?xml version=1.0 encoding=utf-8?soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd=http://www.w3.org/2001/XMLSchema;soap:Body /soap:Body/soap:Envelope dissect_ssl3_record found association 0x86d1c80 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. Scott Sent: Monday, March 03, 2008 6:09 AM To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] tShark SSL Decryption Issue A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 18 are packet_from_server: is from server - FALSE. These did not come from the IP address you have configured in your ssl_init keys string. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 - state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 22 ssl, state 0x10 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #18 (first time) ssl_session_init: initializing ptr 0xb48c2de0 size 564 association_find: TCP port 40686 found (nil
[Wireshark-users] tShark SSL Decryption Issue
Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 - state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 22 ssl, state 0x10 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #18 (first time) ssl_session_init: initializing ptr 0xb48c2de0 size 564 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 143 ssl, state 0x00 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes, remaining 148 dissect_ssl3_hnd_hello_common found CLIENT RANDOM - state 0x01 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
