Ask Your Question
0

Can't see encrypted application data in SSL session

asked 2018-04-10 15:30:16 +0000

rpecka gravatar image

updated 2018-04-11 02:01:38 +0000

grahamb gravatar image

Hi,

I'm having some trouble trying to inspect SSL encrypted websocket traffic from an iOS device that I have proxied through my Mac. I used tcpdump to create a .pcap

I've spent a bit of time going through old forum posts to find a solution to this and I believe I've eliminated the following issues:

  • The sessions I'm trying to view do not use a Diffie-Hellman key exchange (NOTE: some requests in the list DO use it but I am not trying to look at those ones. Frames I would like to see are frames like 16510, 16578, and 16580.)
  • The certificate and private key I have provided do match the ones used in the requests because I have not received a mismatch error.
  • I started the tcpdump before I started the application who's traffic I'm trying to inspect so I CAN see that every handshake is captured.

My ssldebug is below.

Thanks in advance!

Wireshark SSL debug log

Wireshark version: 2.4.5 (v2.4.5-0-g153e867)
GnuTLS version:    3.4.17
Libgcrypt version: 1.7.7

2668 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
KeyID[20]:
| 9e 19 ff 04 83 81 7f 56 cf 9b b4 0c 3d f2 6d ea |.......V....=.m.|
| 3b e1 8b 43                                     |;..C            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file KEY_FILE_LOCATION_REDACTED successfully loaded.
ssl_init port '443' filename 'FILENAME_REDACTED' password(only for p12 file) 'PASSWORD_REDACTED'
association_add ssl.port port 443 handle 0x118d71f20

dissect_ssl enter frame #153 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c659530, ssl_session = 0x11c659600
  record: offset = 0, reported_length_remaining = 239
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 234, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 230 bytes, remaining 239
Calculating hash with offset 5 234
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #154 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c659d90, ssl_session = 0x11c659e60
  record: offset = 0, reported_length_remaining = 240
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 235, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 231 bytes, remaining 240
Calculating hash with offset 5 235
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #155 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c65a5f0, ssl_session = 0x11c65a6c0
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 240, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 236 bytes, remaining 245
Calculating hash with offset 5 240
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #156 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c65ae50, ssl_session = 0x11c65af20
  record: offset = 0, reported_length_remaining = 238
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 233, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using ...
(more)
edit retag flag offensive close merge delete

Comments

The ssldebug is too long so I can't edit the post. I just noticed there's a typo in the list of example frames I want to see: 1651 should be 16510

rpecka gravatar imagerpecka ( 2018-04-10 15:34:00 +0000 )edit

0 Answers

Sort by ยป oldest newest most voted
0

answered 2018-04-11 02:07:20 +0000

grahamb gravatar image

Looking at frame 16510, the ssl session is 0x11f056940, and the handshake frames for that session are 16489 & 16505:

dissect_ssl enter frame #16489 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11f056870, ssl_session = 0x11f056940
  record: offset = 0, reported_length_remaining = 226
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 221, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 217 bytes, remaining 226
Calculating hash with offset 5 221
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #16505 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x11f056870, ssl_session = 0x11f056940
  record: offset = 0, reported_length_remaining = 86
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 81, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 81
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3

The cipher used is a DH variant: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

edit flag offensive delete link more

Comments

This means I can't view the data, correct?

rpecka gravatar imagerpecka ( 2018-04-11 03:17:37 +0000 )edit

No, unless you can provide the session pre-master key.

grahamb gravatar imagegrahamb ( 2018-04-11 07:56:40 +0000 )edit

Thanks a lot for your help, I really appreciate it, this has been a headache for me for a while. I have full access to the iOS device who's traffic I'm trying to inspect, do you have any tips for how to get the secret?

rpecka gravatar imagerpecka ( 2018-04-11 13:32:40 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-10 15:30:16 +0000

Seen: 2,140 times

Last updated: Apr 11 '18