Decyption Issue with SSL-key-log file

asked 2020-02-13 21:26:20 +0000

updated 2020-02-14 11:37:21 +0000

grahamb gravatar image

Please see below debug logs for TLS decryption, I have provided the SSL-key-log file and still error message I get is:

trying to use TLS keylog in /tmp/ssl-keys.log

ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret

Below is the complete DEBUG, can someone help if I am missing something here:

Wireshark SSL debug log

Wireshark version: 3.0.7 (Git v3.0.7 packaged as 3.0.7-1~ubuntu16.04.0+wiresharkdevstable1)
GnuTLS version:    3.4.10
Libgcrypt version: 1.6.5

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x5561cf83f860, ssl_session = 0x5561cf8646d0
  record: offset = 0, reported_length_remaining = 88
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 83, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 79 bytes, remaining 88
Calculating hash with offset 5 83
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x5561cf83f860, ssl_session = 0x5561cf8646d0
  record: offset = 0, reported_length_remaining = 1448
  need_desegmentation: offset = 0, reported_length_remaining = 1448

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x5561cf83f860, ssl_session = 0x5561cf8646d0
  record: offset = 0, reported_length_remaining = 1496
ssl_try_set_version found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1491, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 1496
ssl_try_set_version found version 0x0301 -> state 0x11
Calculating hash with offset 5 81
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA -> state 0x17
trying to use TLS keylog in /tmp/ssl-keys.log
  checking keylog line: CLIENT_RANDOM 004a2415fc13b7f7eebd623c4662ae7baabdafe2e70e4b39ad4a988e261b2704 619bb1d677fc437d370223399a3659d409fe2e6b7dab94086b0d4f1eec0527667ee75f2436ba2096628e48c849469cff
    matched client_random
  checking keylog line: CLIENT_RANDOM bad1e955e324c9ba39653eb7fac9cb51d316851943896b967332d1be49800e48 f8dd1ef1d8ef03a25f850fe68cc203a770c5d3bf0d895d8220c2f1554da23da5d05563aea596c8965d6a53d77ceecd91
    matched client_random
  checking keylog line: CLIENT_RANDOM c07f11ed08132ec578816018357e32f4f7162ccc82d085a1babb2c9ce8e7f3f6 f1d1847b50bc64f8ef923216f4f0c20bacb211377266a67e02c171ccf862eb6ddfd8076d0bfe0b68e97567dfe8197b30
    matched client_random
  checking keylog line: CLIENT_RANDOM 38e1db27e63e89a0da8ac8b382c8dad60d12bf46bdf03ef3005ba14853ab531b 1226e0e645963b4198c7aa84805d8bb603e8c05c1bcd643e9c267b390bedf429a66c9dee795f3c6cf5dc28d6f2d4a10c
    matched client_random
  checking keylog line: CLIENT_RANDOM ab9effa62810c4ed9c61037fc9d53429f9d90d07e9bc68a4189c6185c62b64c8 e71bf66a76a0d23128c39b8044700676b6c126101b84a03258455ca8d72c91ead66436b155ee784d46b9366a736e4578
    matched client_random
  checking keylog line: CLIENT_RANDOM 8999f07691836ac2f6bff4dbee97a0c6de212822c7a49a31336c4b7b54e8c6bc a3649a5b343f5f1029024063b582cf0a495c4db014a803f9fe498d5893804baaf21d4e79f852a3a1c7029d9f120cbe14
    matched client_random
  checking keylog line: CLIENT_RANDOM d47d8a489f5d58be0bc0c5c9bc5f8863dab9b25db25edaef90204ba00c52a59a a3649a5b343f5f1029024063b582cf0a495c4db014a803f9fe498d5893804baaf21d4e79f852a3a1c7029d9f120cbe14
    matched client_random
  checking keylog line: CLIENT_RANDOM d6466dd43406ec733e85f09d01824b02d34d85a984c2f521f4a501c54ed015be de1472660c383c689ede7e90e2e4c5c596e2148215812dd34a8a7f161ac7a452fe691d773ccc0eaa3b73cdca5ddea684
    matched client_random
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET c113f9bdfcc84b9c13894fb7f6e96d1c096c644dded101e978927fb9858eaa10 3b2800a72d5bf593e7bc1cbc7b9d403a08dadd05cd539b229db394dc1212d2bf
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET c113f9bdfcc84b9c13894fb7f6e96d1c096c644dded101e978927fb9858eaa10 3113ffec00dd138ecc3dd03988dce5a62e8aec747cf7b4ca53ee1cbd377301c0
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 c113f9bdfcc84b9c13894fb7f6e96d1c096c644dded101e978927fb9858eaa10 9a7c7b96afc503946c1f785b22187cc6134a20a7b3dd73844f3f5eeeff06b2e1
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 c113f9bdfcc84b9c13894fb7f6e96d1c096c644dded101e978927fb9858eaa10 1d1016c84941d40e2245954d066bb9d26b4384b5f82ed2c4dceea85086347687
    matched server_appdata
  checking keylog line: EXPORTER_SECRET c113f9bdfcc84b9c13894fb7f6e96d1c096c644dded101e978927fb9858eaa10 4fa0a975c106a338c7221df7b382fb993a34ced2a24161e89975941c14466860

matched exporter
tls13_load_secret TLS version 0x301 is not 1.3
tls13_load_secret TLS version 0x301 is not 1.3
dissect_ssl3_handshake iteration 0 type 11 offset 86 length 847 bytes, remaining 1496
Calculating hash with offset 86 851
Certificate.KeyID[20]:
| c1 9d 7a c0 ae e5 52 a7 40 fc d7 74 b6 2f a8 5a |..z...R.@..t./.Z|
| 46 25 18 82                                     |F%..            |
dissect_ssl3_handshake iteration 0 type 12 offset 937 length 551 bytes, remaining 1496
Calculating ...
(more)
edit retag flag offensive close merge delete

Comments

Hello everyone,

Any idea what exactly is going wrong here.

Thanks

u2brutus gravatar imageu2brutus ( 2020-02-18 14:09:49 +0000 )edit

Hi, consider providing the original capture file (note that it will obviously be public, so hopefully it does not have sensitive data). According to the above log, no secret can be found for your TLS sessions. Are you sure that the Client Hello Random matches one of your secrets?

Lekensteyn gravatar imageLekensteyn ( 2020-02-22 00:20:15 +0000 )edit