Samba4 SSL issues on debian

Tim Potter tpot at
Tue Oct 23 00:27:34 GMT 2007

On Mon, 2007-10-22 at 17:17 +1000, Andrew Bartlett wrote:

> Comparative network traces are unclear, because SSL is doing a nice job
> of encrypting the traffic.  I'll have to figure out what and how to feed
> wireshark to let it decrypt this. 

It's easy, but fiddly to get right.  Here's an excerpt from some
documentation I wrote on using wireshark to decrypt WBEM traffic over
SSL.  Hope it helps.


Decrypting SSL traffic 

Some clients may not be able to send http traffic so monitoring what is
going on between the client and server can be difficult to do. One
solution is to set up a SSL proxy using a man-in-the-middle program that
accepts SSL connections from the client and replays them to the server
over a separate TCP connection. If authentication using SSL certificates
are used this technique will not work.

Alternatively, Wireshark can be configured to decode https traffic.
Firstly capture your WBEM data using whatever means and load it in to
Wireshark. As of the latest release, Wireshark doesn't understand the
WBEM protocol, so it's necessary to give it a few hints about what
format the data is. Select any packet in the packet window belonging to
the conversation between the client and the server, and from the Analyze
menu select Decode As. Select that for the TCP source (5989) transport
port, decode as SSL, then click OK. Wireshark should now display SSLv2
and TLSv1 in the protocol column.

To actually decrypt the SSL data, the RSA private key for the CIM
server, in this case Pegasus, needs to be imported. On the server
running OpenPegasus copy the /etc/Pegasus/file.pem file somewhere on the
machine running Wireshark. This file should look something like:


(Technically, being a private key, you should not allow anyone access to
the contents of this file as it could enable impersonation of the server
the file was copied from).

To have Wireshark read this file, Select Preferences from the Edit menu
and then SSL from the Protocol tree. Ensure the Reassemble SSL records
spanning multiple TCP segments checkbox is ticked. In the RSA key list
text box enter the IP address of the server, the server's port number
5989, a protocol (for WBEM this will be http), and the path to the RSA
private key file separated by commas. For example an entry in this text
box may be:,5989,http,/home/tpot/deckchair.pem

Multiple entries can be separated by semicolons. Also enter something
useful in the SSL debug file so we can check whether things are working
or not. Click either OK or Apply to save the setting. Now, after we have
clicked OK to the above configuration changes, Wireshark will try and
decode the SSL data. Check the contents of the SSL debug file. If there
is an error like dissect_ssl can't find private key for this server!
then you have messed something up. For successful decryption, there
should be hex dumps and XML data appearing in the debug file.

Finally we can decrypt some actual data. On any packet in the WBEM
conversation, right click and select Follow SSL stream. A new window
should pop up and the decrypted XML request or response will be shown.
The good news is that the RSA private key will not change very often, so
once Wireshark has been configured to decrypt SSL data for a particular
host the configuration does not need to be changed.

More information about the samba-technical mailing list