Ask Your Question

Revision history [back]

Using a more canonical reference such as the project's own wiki page on TLS you should note the following about decryption:

The RSA private key file can only be used in the following circumstances:

  • The cipher suite selected by the server is not using (EC)DHE.

And as the linked article notes, you can determine if a DH key exchange is in use by examining the SSL debug log and looking for the cipher being used. From your log:

ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97

So a DH keyexchange is occurring and an RSA master key will not be able to decrypt the data, you will need a pre-master secret from the sslkeylogfile. The debug log indicates that the TLS dissector couldn't find valid keying material in the keylog file:

ssl_dissect_change_cipher_spec Session resumption using Session ID 
trying to use TLS keylog in C:\Temp\ssl-keys.log 
ssl_finalize_decryption state = 0x197 
ssl_restore_master_key can't find master secret by Session ID 
ssl_restore_master_key can't restore master secret using an empty Session Ticket 
ssl_restore_master_key can't find master secret by Client Random 
  Cannot find master secret

The log also indicates that this was a session resumption. Is it possible that the original session occurred before the sslkeylog file was created?