Re: SSL/TLS - Error while trying to decrypt the premaster secret.

Tue, 11 Oct 2011 22:23:36 -0700 

On Wednesday 12 October 2011 02:44 AM, Dave Thompson wrote:

From: owner-openssl-us...@openssl.org On Behalf Of nilesh
Sent: Monday, 10 October, 2011 07:35



I have an issue related to RSA decryption while using https.
I have setup a dummy https server and captured packets on wireshark.


If you just want to decrypt a session and aren't aware of it,
wireshark can handle that. Edit / Preferences / Protocols / SSL
and give it the privatekey file(s). kRSA only.

I had already done it. Thanks for suggesting.


As per the RFC - in client key exchange message the premaster is
encrypted using Server's public key and sent to server.

[...]



The main error is that the data in to_decrypt_key is
not the ClientKeyExchange value in your capture.
If I replace it with the correct value, it decrypts
to a 48-byte value starting with 03 01 as expected.

Sorry, before forwarding the email, I think I performed some other test.

But one more thing I also debugged is - I will need to ignore initial 2 
bytes of key.

So I made it 128bytes and decrypt and it worked.



[...]


Other minor points:
- the length of the *encrypted* premaster, which is
the ClientKeyExchange value, is the same as the size
of the RSA key, which may be 128 or something else.
The *decrypted* premaster is always 48 bytes for kRSA.
- return; (no value) in function declared to return int
is illegal in C99 and undefined and unsafe in C89.
If your compiler doesn't warn get a better compiler.
- #include openssl/pem.h for PEM_read_RSAPrivateKey
- ERR_error_string doesn't include a newline so you should
add one (most easily in the printf format string).
Text output not terminated by a newline is unportable.
- in general OpenSSL routines can set more than one
error in the error stack. Loop until ERR_get_error
returns 0, or use ERR_print_errors[_fp] which does so.

Thanks for these pointers. This was actually a test code, and I ignored 
warnings.

Because of proprietary I could not share exact code.

--
Thanks,
Nilesh
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to