Problem with reassembling TLS application Data

asked 2019-08-09 13:58:23 +0000

Sammy gravatar image

updated 2019-08-09 16:24:26 +0000

I'm trying to decrypt an HTTP over TLS conversation. SSL decryption is OK, but reassembly of one of some of the TLS records is wrong. It is supposed to be an HTTP response consisting of frames #117 and #118.

The HTTP response consists of 4 TLS records:

1) of length 410 bytes, in frame #117. (17 03 03 01 9a...)

2) of length 3544 bytes, spanning over frames #117 and #118. (17 03 03 0d d8...)

3) of length 26 bytes, in frame #118. (17 03 03 00 1a ...)

4) of length 29 bytes, in frame #118. (17 03 03 00 1d...)

I've enabled:

Option 1) "Reassemble TLS records spanning multiple TCP segments"

Option 2) "Reassemble TLS application Data spanning multiple TLS records"

Option #1 is working: TLS record #2 is displayed in frame #118. All 4 TLS records can be decrypted. But Option #2 is not. It only reassembles and decrypts TLS records #2-4, but not including 1 which contains the start of response ("HTTP/1.1"...), and therefore not dissected as HTTP. Why is it so?


An excerpt of TCP payload of frame #117 is as follows:

0000   17 03 03 01 9a be 62 96 eb 05 ef eb 7c 13 5b 98   ......b.....|.[.
......
0190   2b da 10 b1 13 da 5a 5b 2c 33 ec 43 57 52 08 17   +.....Z[,3.CWR..
01a0   03 03 0d d8 be 62 96 eb 05 ef eb 7d 2e e4 47 4a   .....b.....}..GJ
......
0b40   f9 01 42 e8 68 f7 06 05 5e fa 0e 17 48 e9 7c 32   ..B.h...^...H.|2

An excerpt of TCP payload of frame #118 is as follows:

0000   c9 39 12 b7 2c 8e 55 ef 2a 01 fd 3f f5 04 cc 32   .9..,.U.*..?...2
......
0420   bf 02 7d 16 96 1f be c3 3d 86 16 55 17 03 03 00   ..}.....=..U....
0430   1a be 62 96 eb 05 ef eb 7e cb e9 4b 52 a4 d7 9d   ..b.....~..KR...
0440   a6 7b a9 19 39 f1 ac e1 a5 0e 44 17 03 03 00 1d   .{..9.....D.....
0450   be 62 96 eb 05 ef eb 7f 57 07 9d 51 b2 b1 e0 a3   .b......W..Q....
0460   49 9a d3 f5 e6 d9 32 14 19 d8 d6 91 a0            I.....2......

Versions:

Wireshark Version 3.0.3 (v3.0.3-0-g6130b92b0ec6)

OS version: Windows 7 Professional 64-bit

edit retag flag offensive close merge delete

Comments

Are you able to share the capture file and the SSL session key for this particular session? (you can use any public file sharing platform like Google Drive, OneDrive, Dropbox, etc and post the link here)

SYN-bit gravatar imageSYN-bit ( 2019-08-14 12:07:00 +0000 )edit

I'm having a similar issue. Frame #31 is not shown as HTTP unless I disable "Reassemble TLS application Data spanning multiple TLS records". Wireshark v3.0.5

The key log is embedded into the pcapng file.

https://www.dropbox.com/s/1huqlujnkig...

Am I missing anything?

Andrey Egorov gravatar imageAndrey Egorov ( 2019-10-06 09:12:27 +0000 )edit

@Andrey Egorov In your case, the reassembly of the two TLS records is not working correctly. When you turn "Reassemble TLS application Data spanning multiple TLS records" off, you can see the two parts of the HTTP response in separate HTTP headers because they are not reassembled at the TLS record layer. Could you file a bug on https://bugs.wireshark.org and add your capture file over there too?

SYN-bit gravatar imageSYN-bit ( 2019-10-06 22:21:10 +0000 )edit