> From: owner-openssl-us...@openssl.org On Behalf Of Bernard46 > Sent: Sunday, 24 June, 2012 18:12
> Can I just double check that you are certain the Alert Level > and Description > bytes (1 byte each) are encrypted and so cannot be read in a Wireshark > trace? This makes debugging very difficult if all you have to > go on is a > line trace? > complete *records* are encrypted, once the handshake completes (successfully). That includes the two bytes of an alert record. Only the record type (that it is alert not handshake application CCS), protocol version and length stay clear. SSL/TLS encrypted data can, in the abstract, be decrypted if you use akRSA (i.e., "plain" RSA without DHE or ECDHE) and you have the server's private key. Wireshark used to be able to do this if you configure under Preferences / Protocols ; the last time I tried they had "enhanced" it and I couldn't get it to work anymore, but maybe you can. Failing that, you could extract the data either from wireshark or from its capture file, and write code to replicate key derivation and en/decryption, but this would be quite a bit of work. I don't recall if the negotiation in your trace was akRSA, but if it wasn't (and isn't) you might be able to configure your endpoint(s) to make it so. Or for debugging, if your endpoints both support it there are SSL/TLS ciphersuites which don't actually encrypt, called "eNULL" in OpenSSL. They go through the same protocol logic, handshaking, MAC, etc, but are still legible. But since these suites provide no confidentiality, many sites/admins and some programs prevent their use, assuming it to be a mistake. Alternatively, the old 40-bit "export" suites, defined years ago when US and some other governments prohibited variously export import or use of "strong" crypto, should now be brute-forcible with some average desktops in days. Many implementations, including OpenSSL, still support these suites so they can communicate with way-old devices or systems if needed. But again, admins or programs may prevent use of these suites precisely because they can be broken easily. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
