Iam using apache ssl server,the server is configured to use only the 3DES with SHA cipher suite.Iam not able to decrypt the SSL packets with this cipher suite.When using RC4 with MD5 its working.How to make the unsniff to decrypt the packets using the 3DES with SHA cipher suite is SSL V3.

Regards,
C.Ashokkumar

Hi Ashok,

1. Open the log window View->Log Window

2. Enable Info logging level Tools->Customize->Advanced->Logging and set the API Trace Level to Info

3. Now try to decrypt. What does it say in the log window ?


3DES/SHA is supported but not if the key exchange is Diffie Hellman Ephemeral (DHE).


Vivek Rajan
Unleash Networks

Logs from unsniff:

Tobrief:
1.The SSL is V3 and uses cert request for getting the client certificate.

2.Initial handshake itself carries the certificate request from the server.
3.All the pages are client authenticated.
4.IE 6.0 is used as a client.
5.Apache server is used and settings are in such a way that all pages are client authenticated.Is never uses HelloRequest type of handshake.


! 01-30-2008 14:07:53 00000f4c 010b8418 XML Plugin C:\Program Files\Unleash Networks\Unsniff\xmlplugs\T35CountryCodes.xml : Skipping non-protocol plugin, no <USNFProtocol> tag
! 01-30-2008 14:07:53 00000fe0 00000000 IntelliDNS Started & Waiting for Requests
! 01-30-2008 14:07:59 00000f4c 010b8418 [?UNK?] XML ID: Using XML document from URI C:\Program Files\Unleash Networks\Unsniff\xmlplugs\X509v3.xml
! 01-30-2008 14:07:59 00000f4c 010b8418 Found 1 adapters
! 01-30-2008 14:07:59 00000f4c 010b8418 Choosing 0 as active adapter
! 01-30-2008 14:07:59 00000f4c 010b8418 Created new capture file
! 01-30-2008 14:08:01 00000f4c 010e3840 Started capture on selected interface
! 01-30-2008 14:08:01 00000f4c 010e3840 Unsniff will flush a copy of all packets to log/TRCTCPD.9404390
! 01-30-2008 14:08:01 00000f50 00000000 Staring capture from \Device\NPF_{C25E0E1E-31F2-458C-A6AD-92726EBFBE0C}
+ 01-30-2008 14:08:04 00000f4c 010e3840 [TLS] XML Fld: XML URI tls.xml not found in C:\Program Files\Unleash Networks\Unsniff, will search elsewhere
+ 01-30-2008 14:08:04 00000f4c 010e3840 [TLS] [0x8004040d] XML Fld Def: XML URI tls.xml, not found in C:\Documents and Settings\user\Application Data\Unleash Networks\Unsniff\Cfg\tls.xml
! 01-30-2008 14:08:04 00000f4c 010e3840 [TLS] XML Fld Def: Using XML document from dir C:\Program Files\Unleash Networks\Unsniff\Cfg\tls.xml
! 01-30-2008 14:08:04 00000f4c 010e3840 [PLUG] Perf: Time to load field defs from XML [0 sec: 44352 usec]
+ 01-30-2008 14:08:06 00000f4c 010e3840 [TLS] Security parameters not available for decryption
! 01-30-2008 14:08:07 00000f4c 010e3840 nTotal = 7856, nTotalConv = 7672, bps = 20456
! 01-30-2008 14:08:07 00000f4c 010e3840 nTotal = 7856, nTotalConv = 184, bps = 488
! 01-30-2008 14:08:10 00000f4c 010e3840 nTotal = 277878, nTotalConv = 277786, bps = 740760
! 01-30-2008 14:08:10 00000f4c 010e3840 nTotal = 277878, nTotalConv = 92, bps = 240

Ashok,

2.Initial handshake itself carries the certificate request from the server.


Switch to the PDU sheet, this will contain all the reassembled SSL records. In the first few records, you ought to see a Server Hello message. What is the ciphersuite in that message ?

The message will be of the form \"Server Hello TLS 1.0, select cipiher TLS_RSA_WITH_3DES_EDE_CBC_SHA, sess ...\"

Vivek Rajan
Unleash Networks