decrypt tls 1.2 issue

asked 2021-09-23 17:57:28 +0000

updated 2021-09-23 20:03:07 +0000

SYN-bit gravatar image

(Windows Server 2019 + Wireshark v3.4.8-0-g3e1ffae201b8 )

Trying to use the environment variable way to decrypt TLS1.2 traffic. Unfortunately whilst it can read and match keys it has other issues. Debug log sample attached.

I already disabled Diffie-Hellman and all other weak ciphers. Rebooted...etc...

dissect_ssl enter frame #2495 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000028F24C4C580, ssl_session = 0000028F24C53240
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes
Calculating hash with offset 5 262
trying to use TLS keylog in C:\Wireshark_Logs\SSL_KEYDUMP.log
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
pre master encrypted[256]:
| 16 31 97 70 42 3f e0 e2 e9 b8 11 a1 56 0f 66 1e |.1.pB?......V.f.|
| aa 84 8f 39 04 83 c4 d7 e3 bb 27 7f e3 e4 3a 5a |...9......'...:Z|
| 8b f2 ea 0d 2c 8b 25 a4 14 43 05 bb 30 28 e1 10 |....,.%..C..0(..|
| 47 95 53 84 85 01 d7 fa 56 a1 a7 6d 26 bf 66 df |G.S.....V..m&.f.|
| 22 5a a6 5b 54 ba 76 05 8a 8e 00 99 7c bd 77 10 |"Z.[T.v.....|.w.|
| 72 89 4e b1 e2 b9 7c 1e 7d 3c 7c 4d 56 da 8b 04 |r.N...|.}<|MV...|
| 47 7f 18 7f 60 db 53 4b 9d 7b ed 1e 0a ae 89 8e |G...`.SK.{......|
| 45 37 33 20 bb ce db 73 33 46 c1 48 16 07 57 14 |E73 ...s3F.H..W.|
| 26 ba 65 77 16 4e 05 db 69 0f 41 34 e4 92 6f e0 |&.ew.N..i.A4..o.|
| ed 89 17 e6 11 d9 7e 0a 87 89 2c d2 ca f9 23 a2 |......~...,...#.|
| 09 ca 0b 5b 07 33 73 94 04 a8 3d ea 13 7c 99 58 |...[.3s...=..|.X|
| 35 e8 dd c4 1b 32 9f 6f 92 0a e4 18 2f 9e bc 43 |5....2.o..../..C|
| a5 66 ed 09 ce 5d 29 ff c1 70 ac 34 5f ed 84 80 |.f...])..p.4_...|
| f5 56 7c a4 97 83 f7 f5 a3 dc 09 d6 f0 89 04 69 |.V|............i|
| 9d b3 14 15 b8 a1 c4 8e 8a b0 9e db 16 38 91 d9 |.............8..|
| 62 79 84 fb 37 e4 f3 ed 8a 23 4e 9a d0 2d 62 f1 |by..7....#N..-b.|
ssl_decrypt_pre_master_secret: RSA_private_decrypt
ssl_decrypt_pre_master_secret: decryption failed: -49 (No certificate was found.)
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder ...
(more)
edit retag flag offensive close merge delete