I don't think Wireshark will be able to decrypt any packet without the
appropriate keys. I can already capture packets using wireshark or with any
application that uses winpcap, but the problem is decrypting them in order
to see what the application is really talking to the server. And the keys I
retrieved as I explained before isn't working. So I didn't understand what
you meant with wireshark, can you specify?
Michael S. Zick-4 wrote:
>
> On Mon December 20 2010, Yigit wrote:
>>
>> Hello all,
>> I have seen one or two related previous subjects but they didn't solve my
>> problem. So I am posting a new one.
>>
>> There is an application on my computer which connects to a server using
>> openssl. I have to see their traffic which means either I decrypt all
>> sniffed packets or I print all decrypted packets to a file inside
>> openssl.
>>
>
> Or: Wireshark
> Just ask Google, they know wireshark
>
> Mike
>> The application uses SSLv3 (method version : 768). And it almost always
>> uses
>> the cipher suite TLS-DHE-RSA-AES-256-CBC-SHA.
>>
>> Now, I have edited the ssl3_setup_key_block function in s3_enc.c file. At
>> the end of the function, I print the master key, key block, client random
>> and server random to a file. I retrieve those by calling;
>> Master key : s->s3->master_key (with the length of
>> s->s3->master_key_length
>> which is naturally 48 bytes),
>> Key Block : s->s3->tmp.key_block,
>> Client Random : s->s3->client_random,
>> Server Random : s->s3->server_random
>>
>> I recompile openssl package with this and replace the dll which the
>> application uses and it prints these to the file.
>>
>> Now, as far as I know, the key block must have a structure like;
>> {
>> Client Write MAC Secret (20 bytes for this cipher suite)
>> Server Write MAC Secret (20 bytes)
>> Client Write Secret (32 bytes)
>> Server Write Secret (32 bytes)
>> Client Write IV (16 bytes)
>> Server Write IV (16 bytes)
>> }
>>
>> However, whatever I tried, I couldn't successfully decrypt any packet
>> with
>> the keys and IV's I got from this key block. It gives no meaningful
>> output.
>> By the way, I start decrypting packets discarding the first 5 bytes which
>> are; 17h (Content Type : Application data), 03h 00h (Version : SSLv3) XX
>> XX
>> (Length of message in bytes). In addition, again as far as I know, any
>> decrypted packet must have the structure of :
>> {
>> Plain Text (since there is no compression used),
>> MAC Field,
>> Padding,
>> Padding Length
>> }
>> And I couldn't see anything that seemed like padding and padding-length
>> from
>> my decryptions, so I can deduce that the keys or IVs I use are definitely
>> false ones, unless my decryption method is bugged. I use a 3rd party
>> library
>> to decrypt aes256 and I wrote the code to apply the cbc mode myself, but
>> I
>> am pretty sure there are no mistakes there.
>>
>> Now, http://www.ietf.org/rfc/rfc2246.txt explains how to calculate the
>> key
>> block from master key, client random and master random. So when I
>> calculate
>> the key block from these variables, the resulting key block is different
>> from the one printed on the file. And I think it suggests I am doing
>> something fundamentally wrong. And the decryptions which are performed by
>> this "calculated key block" also produce meaningless outputs.
>>
>> http://www.ietf.org/rfc/rfc2246.txt also says, for "exportable" cipher
>> suites, client write secrets and server write secrets need another
>> operation
>> in order to obtain final write keys. Now, I don't know what "exportable"
>> means in this case and although I think this cipher suite is not
>> exportable,
>> I produced final write secrets from write secrets accordingly. And
>> decryptions using these are also resulted with failure.
>>
>> Alternatively, I edited the SSL_write and SSL_read functions to print
>> decrypted or unencrypted packets to another file. But it always prints
>> "�òS^#cYJC". So I am stuck there too.
>>
>> If anyone sees what my flaw is, what I am doing wrong and what I should
>> do,
>> I will appreciate the help.
>>
>> Best regards, thanks in advance,
>> Yigit
>>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
--
View this message in context:
http://old.nabble.com/Decrypting-SSL-packets-with-the-keys-retrieved-from-openssl-tp30498813p30499457.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
