This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Change Cipher Spec is retransmitted. SSL Decryption fails.

1

Hello, I have the following case: I am trying to decrypt the communication between a client and a web server. I have the private key and I have setup wireshark correctly since I an able to decrypt most of the traffic. However for I face the following issue: Messages from client to server are not decrypted while messages from server to clients are decrypted correctly. I observed the following: When the client sends the Change Cipher Spec message to the server, initially this message reports as finished. Immediately this message is retransmitted and reports Encrypted Handshake Message.

"18749","11:58:13.246703000","170.186.153.151","167.16.161.16","TLSv1","163","Client Hello"
"18750","11:58:13.246718000","170.186.153.151","167.16.161.16","TLSv1","163","[TCP Retransmission] Client Hello"
"18758","11:58:13.247513000","167.16.161.16","170.186.153.151","TLSv1","187","Server Hello, Change Cipher Spec, Finished"
"18759","11:58:13.248696000","170.186.153.151","167.16.161.16","TLSv1","101","Change Cipher Spec, Finished"
"18760","11:58:13.248707000","170.186.153.151","167.16.161.16","TLSv1","101","[TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message"
"18762","11:58:13.252905000","170.186.153.151","167.16.161.16","TLSv1","622","Application Data"
"18763","11:58:13.252952000","170.186.153.151","167.16.161.16","TLSv1","622","[TCP Retransmission] Application Data"
"18766","11:58:13.253584000","167.16.161.16","170.186.153.151","TCP","60","https > 60406 [ACK] Seq=1784558668 Ack=207907348 Win=64245 Len=0"
"18777","11:58:13.259411000","167.16.161.16","170.186.153.151","TCP","1434","[TCP segment of a reassembled PDU]"
"18778","11:58:13.259473000","167.16.161.16","170.186.153.151","HTTP","820","HTTP/1.1 200 OK  (GIF89a) (GIF89a) (image/gif)"

I think that this may cause my problems. Can you please provide some assistance?

asked 06 Aug '13, 06:24

it_trb's gravatar image

it_trb
16113
accept rate: 0%

edited 06 Aug '13, 08:59

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

0

It looks like all outbound packets are captured twice causing wireshark to interpret them as 'retransmissions'. You need to look at the ip.id to see if it is a real retransmit or a duplicte packet. Telling from the delta time I assume it's the latter.

I suggest to run editcap -d infile outfile' and see if the retransmissions disapper.

answered 06 Aug '13, 20:34

mrEEde2's gravatar image

mrEEde2
3364614
accept rate: 20%

0

I experienced the same issue. A retransmitted "Change Cipher Spec" message (from server to client) causes the wrong decryption of all the TLS messages received at the client side. By ignoring the retransmitted CCS (Right Click -> Ignore Packet (toggle) ) the decryption works fine for me.

answered 12 Oct '15, 03:51

theo66's gravatar image

theo66
913512
accept rate: 50%

That sounds like a bug. Could you raise a bug report at the Wireshark bugzilla, and attach a capture illustrating the problem so it can be fixed?

(12 Oct '15, 09:23) grahamb ♦

Unfortunately I can't attach my capture traces, however I don't think it's a bug. I discovered that by enabling the TCP option "Do not call subdissector for error packets" the TLS sessions are correctly decripted without the "hack" I mention before.

(12 Oct '15, 23:32) theo66