在 Wireshark 中解密 HTTPS 流量不起作用

【问题标题】:Decrypting HTTPS traffic in Wireshark not working在 Wireshark 中解密 HTTPS 流量不起作用
【发布时间】:2013-03-26 18:01:43
【问题描述】:

我在 Windows Server 2008 R2 上运行 Wireshark 1.8.6 并尝试解密传入的 HTTPS 通信以调试我看到的问题。

我的 RSA 密钥列表设置正确(我认为),但 Wireshark 出于某种原因不会解密 SSL 流量。过去在调试与其他客户端系统的交换时,我已经让它工作了,所以我想知道它是否与这里使用的 TLS 相关(即我已经读到如果使用 Diffie-Hellman 你无法解密,但我可以'不知道这是否是正在使用的)。

我的 RSA 密钥列表条目如下:

IP Address: 192.168.1.27 (the IP address of the server)
Port: 7447
Protocol: http
Key File: set to my .pem (which I created using openssl from a .pfx containing both the public and private key).
Password: blank because it doesn't seem to need it for a .pem (Wireshark actually throws an error if I enter one).

在我的 Wireshark 跟踪中,我可以看到 Client Hello 和 Server Hello,但应用程序数据没有被解密(右键单击 -> Follow SSL Stream 没有显示任何内容)。

我的 SSL 日志粘贴在下面——这里有没有我遗漏的东西可以告诉我为什么解密失败?我看到一些这样的条目让我担心,但我不知道如何解释它们:

packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 267, reported_length_remaining = 59

SSL 日志:

ssl_association_remove removing TCP 7447 - http handle 00000000041057D0
Private key imported: KeyID 02:bb:83:4f:80:cf:39:59:39:cd:74:ab:b4:4b:c7:20:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.1.27' (192.168.1.27) port '7447' filename 'C:\Users\username\Desktop\Certs\server_cert.pem.pem' password(only for p12 file) ''
ssl_init private key file C:\Users\username\Desktop\Certs\server_cert.pem.pem successfully loaded.
association_add TCP port 7447 protocol http handle 00000000041057D0

dissect_ssl enter frame #2968 (first time)
ssl_session_init: initializing ptr 0000000006005E40 size 680
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 118, ssl state 0x00
association_find: TCP port 59050 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.1.27:7447
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #2971 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326 

dissect_ssl enter frame #2972 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 6, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 8 offset 11 length 5212462 bytes, remaining 59 

dissect_ssl enter frame #2973 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 277
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 272, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2990 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2991 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 1380
  need_desegmentation: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #2999 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 8565
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 8560, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3805 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 384, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3807 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3808 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 1380
  need_desegmentation: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #3815 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 8469
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 8464, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2968 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

dissect_ssl enter frame #2971 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326 

dissect_ssl enter frame #2973 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 277
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2999 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 8565
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3805 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2968 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

dissect_ssl enter frame #2968 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123

【问题讨论】:

  • 如果您只是使用 HTTP/HTTPS,请考虑使用 Charles Proxy,对用户更友好!

标签: ssl https wireshark encryption


【解决方案1】:

ssl_decrypt_pre_master_secret 密钥交换 0 不同于 KEX_RSA (16)

看起来您正在使用 DHE 密码套件(至少不是具有 RSA 密钥交换的密码套件),它将提供完美的前向保密并防止解密这些数据包,即使你有私钥。

您可能对以下内容感兴趣:

如果这是为了调试,请尝试关闭 DHE 密码套件。

您应该能够通过查看 Wireshark 中的 Server Hello 数据包来了解您正在使用哪个密码套件。

较新的版本也可以直接使用 pre-master secret(阅读 Wireshark wiki SSL page 的“使用 (Pre)-Master-Secret”部分)。在某些情况下,这也是您可以从客户端获得的东西。无论哪种方式,要使其正常工作,您都需要从两方之一获取预主密钥。以下是 Wireshark wiki 该部分的几个链接:

【讨论】:

  • 在我的 Server Hello 中,我看到 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA 但是客户端发送了一个 Change Cipher Spec 数据包,我不知道它想要哪个密码。
  • 虽然我无法确定重新协商的确切密码,但问题似乎与使用的密码有关。我使用 Wireshark 的服务器实际上是一个反向代理,它通过 HTTPS 将请求转发到内容服务器。当我在内容服务器上运行 wireshark 时,我可以很好地解密流量。因此,我认为这个问题与我的反向代理和连接到它的客户端系统之间选择的密码有关。
  • @bruno 你能看看我的问题吗:stackoverflow.com/questions/41227491/…
猜你喜欢
  • 2018-04-15
  • 2017-09-18
  • 2022-10-17
  • 2017-09-23
  • 2021-03-15
  • 2016-04-03
  • 1970-01-01
  • 1970-01-01
  • 2015-07-22
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode