Ask Your Question
0

I can't decrypt my TLS traffic

asked 2020-05-19 02:36:25 +0000

areblitz04 gravatar image

I generated a certificate with a matching private key for this one. Then, when I try to decrypt it using the private key, it is still encrypted. Here is my log file.

Wireshark SSL debug log 

Wireshark version: 3.2.2 (Git v3.2.2 packaged as 3.2.2-1)
GnuTLS version:    3.6.13
Libgcrypt version: 1.8.5

ssl_association_remove removing UDP 443 - handle 0x557610bd4970
KeyID[20]:
| db 62 99 63 91 fa 6b 2d 0c c7 70 57 a3 bf 10 dc |.b.c..k-..pW....|
| 20 3b 1b 92                                     | ;..            |
ssl_init private key file /home/kali/Downloads/apache-selfsigned.key successfully loaded.
ssl_init port '443' filename '/home/kali/Downloads/apache-selfsigned.key' password(only for p12 file) ''
association_add tls.port port 443 handle 0x557610bd4970

dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x557612757110, ssl_session = 0x557612757bd0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #24 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x557612757110, ssl_session = 0x557612757bd0
  record: offset = 0, reported_length_remaining = 1622
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 122, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 118 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1302 TLS_AES_256_GCM_SHA384 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 127, reported_length_remaining = 1495
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 133, reported_length_remaining = 1489
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 38, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 176, reported_length_remaining = 1446
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1081, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 1262, reported_length_remaining = 360
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 281, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 1548, reported_length_remaining = 74
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 69, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #26 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x557612757110, ssl_session = 0x557612757bd0
  record: offset = 0, reported_length_remaining = 30
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 6, reported_length_remaining = 24
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 19, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #34 ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-19 07:24:16 +0000

grahamb gravatar image

I'm not 100% sure about this but from your SSL log:

ssl_set_cipher found CIPHER 0x1302 TLS_AES_256_GCM_SHA384

This is a TLS 1.3 cipher and TLS 1.3 can't be decrypted using the certificate private key. To decrypt the traffic you'll have to obtain the pre-master secret from either the client or the server, see the wiki page on TLS for more info.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-05-19 02:36:25 +0000

Seen: 3,430 times

Last updated: May 19 '20