Can't decrypt imaps traffic in Wireshark

Question

I have currently problems to decrypt IMAPS Traffic in Wireshark. I set up the SSL Key with the correct IP Address, Port 993 and Protocol imap. The Key is the correct one.

That is what I see in the SSL log:

dissect_ssl enter frame #136 (already visited)
  conversation = 0x7fdb633e83f8, ssl_session = (nil)
  record: offset = 0, reported_length_remaining = 229
dissect_ssl3_record: content_type 23
association_find: TCP port 59182 found (nil)
association_find: TCP port 993 found 0x7fdb77125e80

Also, Wireshark shows me in the TLSv1 Packages, that there should now be IMAP data, but I can't see anything when I do the "Follow SSL Stream".

The SSL Package looks like this:

0000  00 00 ff ff 00 00 00 00  00 00 00 00 00 00 08 00   ........ ........
0010  45 00 00 89 40 41 40 00  40 06 91 04 0a 2a 2a 6f   E...@A@. @....**o
0020  0a 2a 2a 67 e7 2e 03 e1  21 f5 32 a6 c9 f9 82 f5   .**g.... !.2.....
0030  80 18 00 b6 a7 fb 00 00  01 01 08 0a c2 d2 70 e0   ........ ......p.
0040  c2 d2 70 e0 17 03 01 00  50 76 ee bc d7 bb 0d ec   ..p..... Pv......
0050  f0 0d 92 1f 1a 26 77 c9  bd f6 8e 63 1f f7 57 43   .....&w. ...c..WC
0060  a7 96 80 df 48 0e 57 a5  7b e0 6b 6b 2a bd 56 0d   ....H.W. {.kk*.V.
0070  84 dd 45 df 33 1b 36 e5  85 fa 75 d6 5c f7 1d f3   ..E.3.6. ..u.\...
0080  dc 70 ec e1 17 53 a9 40  d9 7f 61 56 8a 86 df 13   .p...S.@ ..aV....
0090  a1 51 24 db bc 8b 39 2b  96                        .Q$...9+ .

So it's TLS 1.0 and 80 Bytes of data, but I can't read it decrypted. Whats wrong? I successfully viewed HTTPS Traffic with Wireshark...

@Bruno Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) — reox, Feb 15 '12 at 10:04
@Bruno ohhh i see: http://www.wireshark.org/lists/wireshark-users/200802/msg00182.html This is DH and i dont have the exchanged keys... so no decryption of this... — reox, Feb 15 '12 at 10:17
ah, I see you've found the issue, that's why I asked about the cipher suite. — Bruno, Feb 15 '12 at 10:23

score 4 · Accepted Answer · edited May 23 '17 at 12:41

4

You can't decrypt Ephemeral Diffie-Hellman (DHE) with only the private key. See these links:

edited May 23 '17 at 12:41

Community

1

answered Feb 15 '12 at 10:21

Bruno

4,069
1
20
37

@reox. If it's just for testing purposes, you might be able to turn off the DHE cipher suites in your client. For example, in Thunderbird: Preferences -> Advanced -> General -> Config Editor, then filter using `security.ssl3.*` (this should apply to SSLv3 as well as TLSv1), you can toggle them on/off. In real use, it's actually a good thing to have perfect forward secrecy, so I'd leave them enabled. – Bruno Feb 15 '12 at 10:31

score 2 · Answer 2 · answered Feb 15 '12 at 10:18

2

After some research i found out that TLS_DHE_RSA_WITH_AES_256_CBC_SHA is used as Cypher. According to this: http://www.wireshark.org/lists/wireshark-users/200802/msg00182.html its obviously impossible to decrypt DF...

answered Feb 15 '12 at 10:18

reox

165
2
10

Can't decrypt imaps traffic in Wireshark

2 Answers2