 | 1 | initial version |
Using a more canonical reference such as the project's own wiki page on TLS you should note the following about decryption:
The RSA private key file can only be used in the following circumstances:
- The cipher suite selected by the server is not using (EC)DHE.
And as the linked article notes, you can determine if a DH key exchange is in use by examining the SSL debug log and looking for the cipher being used. From your log:
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
So a DH keyexchange is occurring and an RSA master key will not be able to decrypt the data, you will need a pre-master secret from the sslkeylogfile. The debug log indicates that the TLS dissector couldn't find valid keying material in the keylog file:
ssl_dissect_change_cipher_spec Session resumption using Session ID
trying to use TLS keylog in C:\Temp\ssl-keys.log
ssl_finalize_decryption state = 0x197
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
The log also indicates that this was a session resumption. Is it possible that the original session occurred before the sslkeylog file was created?
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.