在Wireshark中解密HTTPS流量无法正常工作

Question

我正在Windows Server 2008 R2上运行Wireshark 1.8.6并尝试解密传入的HTTPS通信，以便调试我看到的问题。

我已正确设置RSA密钥列表（我认为）但Wireshark不会出于某种原因解密SSL流量。我在过去调试与其他客户端系统的交换时已经开始工作了，所以我想知道这是否与这里使用的TLS有关（即我已经读过如果使用Diffie-Hellman你不能解密但我可以不知道这是不是正在使用的东西。

我的RSA密钥列表条目如下：

IP Address: 192.168.1.27 (the IP address of the server)
Port: 7447
Protocol: http
Key File: set to my .pem (which I created using openssl from a .pfx containing both the public and private key).
Password: blank because it doesn't seem to need it for a .pem (Wireshark actually throws an error if I enter one).

在我的Wireshark跟踪中，我可以看到客户端Hello和服务器Hello，但是应用程序数据没有被解密（右键单击 - ＆gt;跟踪SSL流没有显示任何内容）。

我的SSL日志粘贴在下面 - 这里有什么我想念的东西会告诉我解密失败的原因吗？我看到一些这样的条目令我担心，但我不确定如何解释它们：

packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 267, reported_length_remaining = 59

SSL日志：

ssl_association_remove removing TCP 7447 - http handle 00000000041057D0
Private key imported: KeyID 02:bb:83:4f:80:cf:39:59:39:cd:74:ab:b4:4b:c7:20:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '192.168.1.27' (192.168.1.27) port '7447' filename 'C:\Users\username\Desktop\Certs\server_cert.pem.pem' password(only for p12 file) ''
ssl_init private key file C:\Users\username\Desktop\Certs\server_cert.pem.pem successfully loaded.
association_add TCP port 7447 protocol http handle 00000000041057D0

dissect_ssl enter frame #2968 (first time)
ssl_session_init: initializing ptr 0000000006005E40 size 680
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 118, ssl state 0x00
association_find: TCP port 59050 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 
packet_from_server: is from server - FALSE
ssl_find_private_key server 192.168.1.27:7447
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #2971 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_decrypt_pre_master_secret key exchange 0 different from KEX_RSA (16)
dissect_ssl3_handshake can't decrypt pre master secret
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326 

dissect_ssl enter frame #2972 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 6, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 8 offset 11 length 5212462 bytes, remaining 59 

dissect_ssl enter frame #2973 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 277
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 272, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2990 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2991 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 1380
  need_desegmentation: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #2999 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 8565
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 8560, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3805 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 384, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3807 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3808 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 1380
  need_desegmentation: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #3815 (first time)
  conversation = 00000000060056C0, ssl_session = 0000000006005E40
  record: offset = 0, reported_length_remaining = 8469
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 8464, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2968 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

dissect_ssl enter frame #2971 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 166 offset 278 length 4253081 bytes, remaining 326 

dissect_ssl enter frame #2973 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 277
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2999 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 8565
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #3805 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 59050 found 0000000000000000
association_find: TCP port 7447 found 0000000004FCF520

dissect_ssl enter frame #2968 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

dissect_ssl enter frame #2968 (already visited)
  conversation = 00000000060056C0, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 123
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 114 bytes, remaining 123 

Answer 1

  

ssl_decrypt_pre_master_secret密钥交换0与KEX_RSA不同（16）

看起来您正在使用DHE密码套件（至少不是具有RSA密钥交换的密码套件），它将提供 Perfect Forward Secrecy 并阻止这些数据包的解密，即使你有私钥。

您可能对以下内容感兴趣：

• This Security.SE question
• SSL/TLS & Perfect Forward Secrecy by Vincent Bernat

如果这是用于调试，请尝试关闭DHE密码套件。

您应该可以通过查看Wireshark中的Server Hello数据包来查看您正在使用的密码套件。

---

较新的版本也可以直接使用预主密钥（读取“{em>使用Wireshark wiki SSL page的（Pre）-Master-Secret ”部分）。在某些情况下，这也是您可以从客户端获得的。无论哪种方式，为了使其工作，您需要从双方中的一方获得预主秘密。以下是Wireshark维基部分的几个链接：

• Ask.Wireshark: Follow SSL stream using Master-key and Session-ID
• Security.SE: Decrypting TLS in Wireshark when using DHE_RSA ciphersuites