Re: [Wireshark-users] tShark SSL Decryption Issue
Sake, Thank you very much. I'll pursue the third reason and see if that makes a difference. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sake Blok Sent: Tuesday, March 04, 2008 9:46 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] tShark SSL Decryption Issue Hi Al, There are a few common reasons for Wireshark not being able to decrypt ssl traffic. First of all, Wireshark might not be able to read the key (either it's not there or it's in the wrong format or it might be protected with a passphrase). In your logfile you have the message "ssl_init private key file /home/application/cert.pem successfully loaded" so this is not the problem you are facing. Secondly, Wireshark needs to "see" the whole SSL handshake to be able to calculate all the keys for the ssl session. If you only see ClientHello, ServerHello, ChangeCipherspec... and not ClientHello, ServerHello, Certificate, ServerHelloDone... then the ssl-session is reused and Wireshark can't decrypt it (unless the ssl-session with the full ssl handshake is also in the trace). In order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL. A third reason is that many ssl clients nowadays use a cipher that uses Diffie Hellman to negotiate the secret keys. When DH is not used, the private key of the server is used as seed for the negotiation of the secret keys. The combination of the whole ssl handshake and the private key makes it possible for Wireshark to calculate the secret keys. When DH is used, random data is used in negotiating the secret keys. This prevents Wireshark from decrypting the traffic as it can't calculate the secret keys used for the encryption. Look at the Cipher Suite in the ServerHello message, if it contains DH or DHE, then this is the issue you are facing. You can configure your ssl client or ssl server to not accept DH ciphers for testing purposes. Hope this helps, Cheers, Sake On Tue, Mar 04, 2008 at 08:43:51AM -0700, Al Aghili wrote: > Hi, > Does anyone have any ideas about this? Could it have to do with the > client certificates? > Any help is appreciated as this is an urgent issue for us. > > Thanks > Al > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. > Scott > Sent: Monday, March 03, 2008 6:09 AM > To: 'Community support list for Wireshark' > Subject: Re: [Wireshark-users] tShark SSL Decryption Issue > > A little more info on the server: > Is there only 1 Web listener on a single IP and all the sights use URI > information to direct http requests to the correct web? > > The two packets you included from your debug file 1 & 18 are > "packet_from_server: is from server - FALSE". These did not come from > the IP > address you have configured in your "ssl_init keys string". > > > Robert > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili > Sent: Friday, February 29, 2008 6:36 PM > To: wireshark-users@wireshark.org > Subject: [Wireshark-users] tShark SSL Decryption Issue > > > Hi, > We are trying to use tShark to decrypt SSL communication in our network. > We > have one web server with multiple sites on it. So we use a single > Certificate and it all works from port 443. tShark is installed on Linux > (SLUES) to be exact. We are able to see decrypted messages for some of > the > web sites on this web server but not all. When I run it in debug mode I > see > below error messages. > > decrypt_ssl3_record: using client decoder > decrypt_ssl3_record: no decoder available > > > What is interesting is that we always see messages to some of the web > sites > but some of the other ones it never gets decrypted as if its specific to > the > site even though they are all running on the same server and the same > port > using the same certificate. > > This is an urgent issue for us so any help is greatly appreciated. > > Thanks > Al > > ssl_init keys string: > 192.168.15.30,443,http,/home/application/cert.pem > ssl_init found host entry > 192.168.15.30,443,http,/home/application/cert.pem > ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem > ssl_init private key file /home/application/cert.pem successfully loaded > association_add TCP port 443 protocol http handle 0x81e3288 > association_find: TCP port 636 found 0x86868b0 > ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 > association_add TCP port 636 protocol l
Re: [Wireshark-users] tShark SSL Decryption Issue
Hi Al, There are a few common reasons for Wireshark not being able to decrypt ssl traffic. First of all, Wireshark might not be able to read the key (either it's not there or it's in the wrong format or it might be protected with a passphrase). In your logfile you have the message "ssl_init private key file /home/application/cert.pem successfully loaded" so this is not the problem you are facing. Secondly, Wireshark needs to "see" the whole SSL handshake to be able to calculate all the keys for the ssl session. If you only see ClientHello, ServerHello, ChangeCipherspec... and not ClientHello, ServerHello, Certificate, ServerHelloDone... then the ssl-session is reused and Wireshark can't decrypt it (unless the ssl-session with the full ssl handshake is also in the trace). In order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL. A third reason is that many ssl clients nowadays use a cipher that uses Diffie Hellman to negotiate the secret keys. When DH is not used, the private key of the server is used as seed for the negotiation of the secret keys. The combination of the whole ssl handshake and the private key makes it possible for Wireshark to calculate the secret keys. When DH is used, random data is used in negotiating the secret keys. This prevents Wireshark from decrypting the traffic as it can't calculate the secret keys used for the encryption. Look at the Cipher Suite in the ServerHello message, if it contains DH or DHE, then this is the issue you are facing. You can configure your ssl client or ssl server to not accept DH ciphers for testing purposes. Hope this helps, Cheers, Sake On Tue, Mar 04, 2008 at 08:43:51AM -0700, Al Aghili wrote: > Hi, > Does anyone have any ideas about this? Could it have to do with the > client certificates? > Any help is appreciated as this is an urgent issue for us. > > Thanks > Al > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. > Scott > Sent: Monday, March 03, 2008 6:09 AM > To: 'Community support list for Wireshark' > Subject: Re: [Wireshark-users] tShark SSL Decryption Issue > > A little more info on the server: > Is there only 1 Web listener on a single IP and all the sights use URI > information to direct http requests to the correct web? > > The two packets you included from your debug file 1 & 18 are > "packet_from_server: is from server - FALSE". These did not come from > the IP > address you have configured in your "ssl_init keys string". > > > Robert > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili > Sent: Friday, February 29, 2008 6:36 PM > To: wireshark-users@wireshark.org > Subject: [Wireshark-users] tShark SSL Decryption Issue > > > Hi, > We are trying to use tShark to decrypt SSL communication in our network. > We > have one web server with multiple sites on it. So we use a single > Certificate and it all works from port 443. tShark is installed on Linux > (SLUES) to be exact. We are able to see decrypted messages for some of > the > web sites on this web server but not all. When I run it in debug mode I > see > below error messages. > > decrypt_ssl3_record: using client decoder > decrypt_ssl3_record: no decoder available > > > What is interesting is that we always see messages to some of the web > sites > but some of the other ones it never gets decrypted as if its specific to > the > site even though they are all running on the same server and the same > port > using the same certificate. > > This is an urgent issue for us so any help is greatly appreciated. > > Thanks > Al > > ssl_init keys string: > 192.168.15.30,443,http,/home/application/cert.pem > ssl_init found host entry > 192.168.15.30,443,http,/home/application/cert.pem > ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem > ssl_init private key file /home/application/cert.pem successfully loaded > association_add TCP port 443 protocol http handle 0x81e3288 > association_find: TCP port 636 found 0x86868b0 > ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 > association_add TCP port 636 protocol ldap handle 0x81f9250 > association_find: TCP port 993 found 0x86868e8 > ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 > association_add TCP port 993 protocol imap handle 0x81d1c18 > association_find: TCP port 995 found 0x8686920 > ssl_association_remove removing TCP 995 - pop handle 0x8255678 > associa
Re: [Wireshark-users] tShark SSL Decryption Issue
Hi, Does anyone have any ideas about this? Could it have to do with the client certificates? Any help is appreciated as this is an urgent issue for us. Thanks Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. Scott Sent: Monday, March 03, 2008 6:09 AM To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] tShark SSL Decryption Issue A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 & 18 are "packet_from_server: is from server - FALSE". These did not come from the IP address you have configured in your "ssl_init keys string". Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 -> state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 22 ssl, state 0x10 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #18 (first time) ssl_session_init: initializing ptr 0xb48c2de0 size 564 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 143 ssl, state 0x00 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes, remaining 148 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] tShark SSL Decryption Issue
f 50 5f 48 4f 53 54 5f 50 41 53 53 57 4f 52 44 3e 3c 4f 50 5f 48 4f 53 54 5f 50 41 53 53 57 4f 52 44 45 6e 63 72 79 70 74 3e 38 32 45 39 39 41 44 36 32 31 42 35 38 43 43 37 41 39 45 39 39 45 41 44 33 33 34 41 32 36 46 37 3c 2f 4f 50 5f 48 4f 53 54 5f 50 41 53 53 57 4f 52 44 45 6e 63 72 79 70 74 3e 3c 4f 50 5f 54 4f 4b 45 4e 3e 42 38 39 41 34 32 39 35 41 45 39 35 32 44 46 33 45 32 32 37 35 39 44 44 37 37 45 33 30 35 46 35 37 43 39 33 36 44 44 33 30 45 32 44 32 42 31 37 3c 2f 4f 50 5f 54 4f 4b 45 4e 3e 3c 4d 45 54 73 7a 42 6e 6b 4e 62 72 3e 31 36 35 3c 2f 4d 45 54 73 7a 42 6e 6b 4e 62 72 3e 3c 2f 4d 43 53 49 64 52 65 63 3e 3c 47 65 6e 43 41 50 43 6f 6e 74 72 6f 6c 52 65 63 3e 3c 43 4f 52 43 75 73 74 6f 6d 65 72 4b 65 79 3e 32 33 32 34 39 34 3c 2f 43 4f 52 43 75 73 74 6f 6d 65 72 4b 65 79 3e 3c 2f 47 65 6e 43 41 50 43 6f 6e 74 72 6f 6c 52 65 63 3e 3c 2f 53 4f 41 43 75 73 74 50 72 6f 66 52 65 63 49 6e 3e 3c 2f 5a 4d 43 53 53 4f 41 43 75 73 74 50 72 6f 66 5f 46 72 6d 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e a4 53 82 42 57 05 69 c3 c5 79 33 ea 09 61 62 dc b6 b9 9b 56 05 05 05 05 05 05 ssl_decrypt_record found padding 5 final len 834 checking mac (len 814, version 300, ct 23 seq 2) ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 814, seq = 418, nxtseq = 1232 association_find: TCP port 44327 found (nil) association_find: TCP port 443 found 0x86d1c80 dissect_ssl3_record decrypted len 814 decrypted app data fragment: http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";> dissect_ssl3_record found association 0x86d1c80 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert D. Scott Sent: Monday, March 03, 2008 6:09 AM To: 'Community support list for Wireshark' Subject: Re: [Wireshark-users] tShark SSL Decryption Issue A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 & 18 are "packet_from_server: is from server - FALSE". These did not come from the IP address you have configured in your "ssl_init keys string". Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 -> state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 22 ssl, state 0x10 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #18 (first time) ssl_session_init: initializing ptr 0xb48c2de0 size 564 association_find: TCP port 40686 fo
Re: [Wireshark-users] tShark SSL Decryption Issue
A little more info on the server: Is there only 1 Web listener on a single IP and all the sights use URI information to direct http requests to the correct web? The two packets you included from your debug file 1 & 18 are "packet_from_server: is from server - FALSE". These did not come from the IP address you have configured in your "ssl_init keys string". Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Aghili Sent: Friday, February 29, 2008 6:36 PM To: wireshark-users@wireshark.org Subject: [Wireshark-users] tShark SSL Decryption Issue Hi, We are trying to use tShark to decrypt SSL communication in our network. We have one web server with multiple sites on it. So we use a single Certificate and it all works from port 443. tShark is installed on Linux (SLUES) to be exact. We are able to see decrypted messages for some of the web sites on this web server but not all. When I run it in debug mode I see below error messages. decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available What is interesting is that we always see messages to some of the web sites but some of the other ones it never gets decrypted as if its specific to the site even though they are all running on the same server and the same port using the same certificate. This is an urgent issue for us so any help is greatly appreciated. Thanks Al ssl_init keys string: 192.168.15.30,443,http,/home/application/cert.pem ssl_init found host entry 192.168.15.30,443,http,/home/application/cert.pem ssl_init addr 192.168.15.30 port 443 filename /home/application/cert.pem ssl_init private key file /home/application/cert.pem successfully loaded association_add TCP port 443 protocol http handle 0x81e3288 association_find: TCP port 636 found 0x86868b0 ssl_association_remove removing TCP 636 - ldap handle 0x81f9250 association_add TCP port 636 protocol ldap handle 0x81f9250 association_find: TCP port 993 found 0x86868e8 ssl_association_remove removing TCP 993 - imap handle 0x81d1c18 association_add TCP port 993 protocol imap handle 0x81d1c18 association_find: TCP port 995 found 0x8686920 ssl_association_remove removing TCP 995 - pop handle 0x8255678 association_add TCP port 995 protocol pop handle 0x8255678 dissect_ssl enter frame #10 (first time) ssl_session_init: initializing ptr 0xb48c2988 size 564 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record found version 0x0301 -> state 0x10 dissect_ssl3_record: content_type 21 decrypt_ssl3_record: app_data len 22 ssl, state 0x10 association_find: TCP port 40685 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl enter frame #18 (first time) ssl_session_init: initializing ptr 0xb48c2de0 size 564 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE dissect_ssl server 192.168.15.30:443 dissect_ssl3_record: content_type 22 decrypt_ssl3_record: app_data len 143 ssl, state 0x00 association_find: TCP port 40686 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 139 bytes, remaining 148 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
