2013-04-04 8 views
11

Używam Wireshark 1.8.6 na Windows Server 2008 R2 i próbuję odszyfrować przychodzącą komunikację HTTPS w celu debugowania problemu, który widzę.Odszyfrowywanie ruchu HTTPS w Wireshark nie działa

Mam poprawnie skonfigurowaną listę kluczy RSA (chyba), ale Wireshark nie odszyfruje ruchu SSL z jakiegoś powodu. Zrobiłem to do pracy w przeszłości podczas debugowania wymiany z innymi systemami klienckimi, więc zastanawiam się, czy jest to coś szczególnego w używaniu TLS (tj. Czytałem, że nie można odszyfrować, używając Diffie-Hellman, ale mogę powiedzieć, czy to właśnie jest używane).

mam RSA Keys listy wpis następująco:

IP Address: 192.168.1.27 (the IP address of the server) 
Port: 7447 
Protocol: http 
Key File: set to my .pem (which I created using openssl from a .pfx containing both the public and private key). 
Password: blank because it doesn't seem to need it for a .pem (Wireshark actually throws an error if I enter one). 

W moim śladem Wireshark, widzę Klient Witam i Server Witam ale dane aplikacji nie jest rozszyfrował (prawy przycisk myszy -> Monit SSL Strumień nic nie pokazuje).

Mój protokół SSL jest wklejony poniżej - czy jest tu coś, czego mi brakuje, co powie mi, dlaczego odszyfrowywanie się nie powiodło? Widzę kilka wpisów jak ten, który mnie martwić, ale nie jestem pewien, jak je interpretować:

packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16) 
dissect_ssl3_handshake can't decrypt pre master secret 
    record: offset = 267, reported_length_remaining = 59 

SSL Log:

ssl_association_remove removing TCP 7447 - http handle 00000000041057D0 
Private key imported: KeyID 02:bb:83:4f:80:cf:39:59:39:cd:74:ab:b4:4b:c7:20:... 
ssl_load_key: swapping p and q parameters and recomputing u 
ssl_init IPv4 addr '192.168.1.27' (192.168.1.27) port '7447' filename 'C:\Users\username\Desktop\Certs\server_cert.pem.pem' password(only for p12 file) '' 
ssl_init private key file C:\Users\username\Desktop\Certs\server_cert.pem.pem successfully loaded. 
association_add TCP port 7447 protocol http handle 00000000041057D0 

dissect_ssl enter frame #2968 (first time) 
ssl_session_init: initializing ptr 0000000006005E40 size 680 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 123 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 118, ssl state 0x00 
association_find: TCP port 59050 found 0000000000000000 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 
packet_from_server: is from server - FALSE 
ssl_find_private_key server 192.168.1.27:7447 
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 

dissect_ssl enter frame #2971 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 326 
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 262, ssl state 0x11 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16) 
dissect_ssl3_handshake can't decrypt pre master secret 
    record: offset = 267, reported_length_remaining = 59 
dissect_ssl3_record: content_type 20 Change Cipher Spec 
dissect_ssl3_change_cipher_spec 
packet_from_server: is from server - FALSE 
ssl_change_cipher CLIENT 
    record: offset = 273, reported_length_remaining = 53 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 48, ssl state 0x11 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326 

dissect_ssl enter frame #2972 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 59 
dissect_ssl3_record: content_type 20 Change Cipher Spec 
dissect_ssl3_change_cipher_spec 
packet_from_server: is from server - TRUE 
ssl_change_cipher SERVER 
    record: offset = 6, reported_length_remaining = 53 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 48, ssl state 0x11 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 8 offset 11 length 5212462 bytes, remaining 59 

dissect_ssl enter frame #2973 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 277 
dissect_ssl3_record: content_type 23 Application Data 
decrypt_ssl3_record: app_data len 272, ssl state 0x11 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #2990 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 53 
dissect_ssl3_record: content_type 23 Application Data 
decrypt_ssl3_record: app_data len 48, ssl state 0x11 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #2991 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 1380 
    need_desegmentation: offset = 0, reported_length_remaining = 1380 

dissect_ssl enter frame #2999 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 8565 
dissect_ssl3_record: content_type 23 Application Data 
decrypt_ssl3_record: app_data len 8560, ssl state 0x11 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #3805 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 389 
dissect_ssl3_record: content_type 23 Application Data 
decrypt_ssl3_record: app_data len 384, ssl state 0x11 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #3807 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 53 
dissect_ssl3_record: content_type 23 Application Data 
decrypt_ssl3_record: app_data len 48, ssl state 0x11 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #3808 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 1380 
    need_desegmentation: offset = 0, reported_length_remaining = 1380 

dissect_ssl enter frame #3815 (first time) 
    conversation = 00000000060056C0, ssl_session = 0000000006005E40 
    record: offset = 0, reported_length_remaining = 8469 
dissect_ssl3_record: content_type 23 Application Data 
decrypt_ssl3_record: app_data len 8464, ssl state 0x11 
packet_from_server: is from server - FALSE 
decrypt_ssl3_record: using client decoder 
decrypt_ssl3_record: no decoder available 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #2968 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 123 
dissect_ssl3_record: content_type 22 Handshake 
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

dissect_ssl enter frame #2971 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 326 
dissect_ssl3_record: content_type 22 Handshake 
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
    record: offset = 267, reported_length_remaining = 59 
dissect_ssl3_record: content_type 20 Change Cipher Spec 
dissect_ssl3_change_cipher_spec 
    record: offset = 273, reported_length_remaining = 53 
dissect_ssl3_record: content_type 22 Handshake 
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326 

dissect_ssl enter frame #2973 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 277 
dissect_ssl3_record: content_type 23 Application Data 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #2999 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 8565 
dissect_ssl3_record: content_type 23 Application Data 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #3805 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 389 
dissect_ssl3_record: content_type 23 Application Data 
association_find: TCP port 59050 found 0000000000000000 
association_find: TCP port 7447 found 0000000004FCF520 

dissect_ssl enter frame #2968 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 123 
dissect_ssl3_record: content_type 22 Handshake 
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

dissect_ssl enter frame #2968 (already visited) 
    conversation = 00000000060056C0, ssl_session = 0000000000000000 
    record: offset = 0, reported_length_remaining = 123 
dissect_ssl3_record: content_type 22 Handshake 
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 
+0

Jeśli dopiero pracę z HTTP/HTTPS rozważyć Charles Proxy, znacznie bardziej przyjazny dla użytkownika! – zaph

Odpowiedz

9

ssl_decrypt_pre_master_secret wymiany klucza 0 różni się od KEX_RSA (16)

wygląda na to, że używasz pakietu DHE szyfr (przynajmniej nie szyfr apartament z RSA wymiany klucza), która zapewni Perfect Forward Secr ecy i zapobiegaj odszyfrowywaniu tych pakietów, nawet jeśli masz prywatny klucz.

Możesz być zainteresowany:

Jeśli jest to do debugowania, spróbuj wyłączyć DHE szyfrów.

Powinieneś być w stanie zobaczyć, jakiego zestawu algorytmów szyfrowania używasz, przeglądając pakiet Server Hello w Wireshark.


Nowsze wersje mogą również korzystać z tajemnicy pre-master bezpośrednio (czytaj "Używanie (pre) -Master-Tajny" odcinek Wireshark wiki SSL page). Jest to również coś, co możesz uzyskać od strony klienta również w niektórych przypadkach. Tak czy inaczej, aby to zadziałało, musisz zdobyć sekret pre-master od jednej z dwóch stron. Oto kilka linków z tej części wiki Wireshark:

+0

Na moim serwerze Witam widzę Pakiet szyfrowania: TLS_RSA_WITH_AES_128_CBC_SHA, ale jest też pakiet zmiany specyfikacji szyfrowania, który jest wysyłany od klienta i nie mogę stwierdzić, który szyfr chce. – js80

+0

Mimo że nigdy nie udało mi się ustalić dokładnego renegocjowanego szyfru, wydaje się, że problem jest związany z wykorzystywanym szyfrem. Serwer, na którym używam Wireshark on, jest w rzeczywistości odwrotnym proxy, które przesyła żądania do serwera treści za pośrednictwem HTTPS. Kiedy uruchamiam wireshark na serwerze treści, jestem w stanie odszyfrować grzywnę w ruchu. Dlatego myślę, że problem jest związany z szyframi wybranymi między moim odwrotnym proxy a łączącym się z nim systemem klienta. – js80

+0

@bruno, czy mógłbyś rzucić okiem na moje pytanie: http://stackoverflow.com/questions/41227491/non-rsa-tls1-2-packet-decryption –