Расшифровки HTTPS-трафика в Wireshark не работает
я запускаю Wireshark 1.8.6 на Windows Server 2008 R2 и пытаюсь расшифровать входящую связь HTTPS, чтобы отладить проблему, которую я вижу.
у меня есть список ключей RSA, настроенный правильно (я думаю), но Wireshark по какой-то причине не расшифрует трафик SSL. Я получил это, чтобы работать в прошлом при отладке обменов с другими клиентскими системами, поэтому мне интересно, если это что-то конкретное с использованием TLS здесь (т. е. я прочитал, что вы не можете расшифровать, если используя Диффи-Хеллмана, но я не могу сказать, используется ли это).
у меня есть запись списка ключей RSA следующим образом:
IP Address: 192.168.1.27 (the IP address of the server)
Port: 7447
Protocol: http
Key File: set to my .pem (which I created using openssl from a .pfx containing both the public and private key).
Password: blank because it doesn't seem to need it for a .pem (Wireshark actually throws an error if I enter one).
в моей трассировке Wireshark я вижу клиент Hello и сервер Hello, но данные приложения не дешифруются (правый клик -> следовать потоку SSL ничего не показывает).
мой журнал SSL вставлен ниже - есть ли что-то здесь, что мне не хватает, что скажет мне, почему дешифрование не удается? Я вижу несколько таких записей, которые беспокоят я, но я не уверен, как их интерпретировать:
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
record: offset = 267, reported_length_remaining = 59
журнал SSL:
ssl_association_remove removing TCP 7447 - http handle 00000000041057D0
Private key imported: KeyID 02:bb:83:4f:80:cf:39:59:39:cd:74:ab:b4:4b:c7:20:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.1.27' (192.168.1.27) port '7447' filename 'C:UsersusernameDesktopCertsserver_cert.pem.pem' password(only for p12 file) ''
ssl_init private key file C:UsersusernameDesktopCertsserver_cert.pem.pem successfully loaded.
association_add TCP port 7447 protocol http handle 00000000041057D0
dissect_ssl enter frame #2968 (first time)
ssl_session_init: initializing ptr 0000000006005E40 size 680
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 118, ssl state 0x00
association_find: TCP port 59050 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.1.27:7447
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #2971 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326
dissect_ssl enter frame #2972 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 6, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 8 offset 11 length 5212462 bytes, remaining 59
dissect_ssl enter frame #2973 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 277
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 272, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #2990 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #2991 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 1380
need_desegmentation: offset = 0, reported_length_remaining = 1380
dissect_ssl enter frame #2999 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 8565
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 8560, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #3805 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 384, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #3807 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #3808 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 1380
need_desegmentation: offset = 0, reported_length_remaining = 1380
dissect_ssl enter frame #3815 (first time)
conversation = 00000000060056C0, ssl_session = 0000000006005E40
record: offset = 0, reported_length_remaining = 8469
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 8464, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #2968 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123
dissect_ssl enter frame #2971 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326
dissect_ssl enter frame #2973 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 277
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #2999 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 8565
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #3805 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520
dissect_ssl enter frame #2968 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123
dissect_ssl enter frame #2968 (already visited)
conversation = 00000000060056C0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123
1 ответов
ssl_decrypt_pre_master_secret обмен ключами 0 отличается от KEX_RSA (16)
похоже, вы используете набор шифров DHE (по крайней мере, не набор шифров с обменом ключами RSA), который обеспечит Совершенная Прямая Секретность и предотвратить расшифровку этих пакетов, даже если у вас есть закрытый ключ.
вас может заинтересовать:
Если это для отладки, попробуйте отключить наборы шифров DHE.
вы должны быть в состоянии, чтобы увидеть, какой набор Вы используете, глядя в Server Hello пакетов в Wireshark.
более новые версии могут также использовать секрет пре-мастера сразу (прочитанный"использование (Pre)-Master-Secret" раздел Wireshark wiki SSL страница). Это то, что вы можете получить со стороны клиента тоже в некоторых случаях. В любом случае, чтобы это сработало, вам нужно получить секрет pre-master от одной из двух сторон. Вот несколько ссылок из этого раздела Wireshark wiki: