Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-08-07 16:43:33 +0000

rriemann gravatar image

mitmproxy+wireshark: SSL decryption with sslkey

Hello,

I want to see in wireshark SSL/TLS packages from an Android phone. Unfortunately, decryption fails.

I have configured an Android device to use as a proxy the mitmproxy running on my Linux computer (opensuse Tumbleweed). I started mitproxy with:

SSLKEYLOGFILE=$HOME/.mitmproxy/sslkeylogfile.txt mitmproxy --listen-port=1337 --rawtcp

I configured wireshark to use the mitmproxy-ca.pem file and the file sslkeylogfile.txt.

Howver, the decryption does not work. The cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is used, but I found that it is supposed to work if sslkeylogfile.txt is provided.

Some excerpts of Wireshark’s SSL log (entire file here: https://pastebin.com/9UjZLSgx):

Wireshark SSL debug log 

Wireshark version: 2.6.2 (v2.6.2)
GnuTLS version:    3.6.2
Libgcrypt version: 1.8.3

ssl_association_remove removing UDP 443 - handle 0x563e9a945210
KeyID[20]:
| bc 5d 10 b1 2e 94 63 33 4d f5 c2 7f 07 2b 42 0b |.]....c3M....+B.|
| ed aa 1b 14                                     |....            |
ssl_init private key file /home/user/.mitmproxy/new_ca/mitmproxy-ca.pem successfully loaded.
ssl_init port '443' filename '/home/user/.mitmproxy/new_ca/mitmproxy-ca.pem' password(only for p12 file) ''
association_add ssl.port port 443 handle 0x563e9a945210

dissect_ssl enter frame #58 (first time)
packet_from_server: is from server - FALSE
conversation = 0x563e9bbad2f0, ssl_session = 0x563e9bbad3c0
record: offset = 0, reported_length_remaining = 224
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 219, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 215 bytes, remaining 224 
Calculating hash with offset 5 219
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #60 (first time)
packet_from_server: is from server - FALSE
conversation = 0x563e9bbade10, ssl_session = 0x563e9bbadee0
record: offset = 0, reported_length_remaining = 1448
ssl_try_set_version found version 0x0303 -> state 0x10
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 61, ssl state 0x10
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 57 bytes, remaining 66 
ssl_try_set_version found version 0x0303 -> state 0x10
Calculating hash with offset 5 61
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x12
ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x16
trying to use SSL keylog in /home/user/.mitmproxy/sslkeylogfile.txt
checking keylog line: 
    unrecognized line
checking keylog line: CLIENT_RANDOM 68e322d91589bba2640b80fd97aa474db62aef785cef6523d3a494e22140f342 eb33b42d5aa931db68e1ac61a624ccf51bf8a06881b9ffd7b22887efcb2e57822d7fc5486ffdf7f7b5bfb1744f234ec0
    matched client_random
[…]
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
record: offset = 66, reported_length_remaining = 1382
need_desegmentation: offset = 66, reported_length_remaining = 1382

dissect_ssl enter frame #64 (first time)
packet_from_server: is from server - FALSE
conversation = 0x563e9bbade10, ssl_session = 0x563e9bbadee0
record: offset = 0, reported_length_remaining = 4836
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4831, ssl state 0x16
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 4827 bytes, remaining 4836 
Calculating hash with offset 5 4831
[…]

dissect_ssl enter frame #104 (first time)
packet_from_server: is from server - FALSE
conversation = 0x563e9bbcf480, ssl_session = 0x563e9bbd2910
record: offset = 0, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 70, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 
Calculating hash with offset 5 70
trying to use SSL keylog in /home/user/.mitmproxy/sslkeylogfile.txt
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 97
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
record: offset = 75, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available