First time here? Check out the FAQ!

Ask Your Question
0

Can't see encrypted application data in SSL session
 
  
 
  
 
 
 
 
 
 
    
        
        asked Apr 10 '18  
 
 rpecka gravatar image  
 
 
 
 
    
        
        updated Apr 11 '18  
 
 grahamb gravatar image  
 
 
 
 
 
Hi,
 
I'm having some trouble trying to inspect SSL encrypted websocket traffic from an iOS device that I have proxied through my Mac. I used tcpdump to create a .pcap
 
I've spent a bit of time going through old forum posts to find a solution to this and I believe I've eliminated the following issues:
 
     
  • The sessions I'm trying to view do not use a Diffie-Hellman key exchange (NOTE: some requests in the list DO use it but I am not trying to look at those ones. Frames I would like to see are frames like 16510, 16578, and 16580.)
    •  
  • The certificate and private key I have provided do match the ones used in the requests because I have not received a mismatch error.
    •  
  • I started the tcpdump before I started the application who's traffic I'm trying to inspect so I CAN see that every handshake is captured.
    •  
 
My ssldebug is below.
 
Thanks in advance!
 
Wireshark SSL debug log
 
Wireshark version: 2.4.5 (v2.4.5-0-g153e867)
GnuTLS version:    3.4.17
Libgcrypt version: 1.7.7

2668 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
KeyID[20]:
| 9e 19 ff 04 83 81 7f 56 cf 9b b4 0c 3d f2 6d ea |.......V....=.m.|
| 3b e1 8b 43                                     |;..C            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file KEY_FILE_LOCATION_REDACTED successfully loaded.
ssl_init port '443' filename 'FILENAME_REDACTED' password(only for p12 file) 'PASSWORD_REDACTED'
association_add ssl.port port 443 handle 0x118d71f20

dissect_ssl enter frame #153 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c659530, ssl_session = 0x11c659600
  record: offset = 0, reported_length_remaining = 239
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 234, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 230 bytes, remaining 239
Calculating hash with offset 5 234
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #154 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c659d90, ssl_session = 0x11c659e60
  record: offset = 0, reported_length_remaining = 240
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 235, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 231 bytes, remaining 240
Calculating hash with offset 5 235
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #155 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c65a5f0, ssl_session = 0x11c65a6c0
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 240, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 236 bytes, remaining 245
Calculating hash with offset 5 240
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #156 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c65ae50, ssl_session = 0x11c65af20
  record: offset = 0, reported_length_remaining = 238
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 233, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using ...
 (more)
Preview: (hide)
 
 
 
 
          
 
Comments
The ssldebug is too long so I can't edit the post. I just noticed there's a typo in the list of example frames I want to see: 1651 should be 16510
rpecka gravatar imagerpecka (
    
        Apr 10 '18
    )
add a comment
 
 
 
 
 
 0 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Apr 11 '18  
 
 grahamb gravatar image  
 
 
 
 
 
Looking at frame 16510, the ssl session is 0x11f056940, and the handshake frames for that session are 16489 & 16505:
 
dissect_ssl enter frame #16489 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11f056870, ssl_session = 0x11f056940
  record: offset = 0, reported_length_remaining = 226
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 221, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 217 bytes, remaining 226
Calculating hash with offset 5 221
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #16505 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x11f056870, ssl_session = 0x11f056940
  record: offset = 0, reported_length_remaining = 86
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 81, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 81
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
 
The cipher used is a DH variant: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
This means I can't view the data, correct?
rpecka gravatar imagerpecka (
    
        Apr 11 '18
    )
No, unless you can provide the session pre-master key.
grahamb gravatar imagegrahamb (
    
        Apr 11 '18
    )
Thanks a lot for your help, I really appreciate it, this has been a headache for me for a while. I have full access to the iOS device who's traffic I'm trying to inspect, do you have any tips for how to get the secret?
rpecka gravatar imagerpecka (
    
        Apr 11 '18
    )
add a comment
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Apr 10 '18  
 
 
        Seen: 2,247 times 
 

        Last updated: Apr 11 '18 
 
 
 
Related questions
 
 
 Step by step SSL decrypt with wireshark 
 
 TLS log file encryption with WireShark is not working properly 
 
 Looking for a detailed explanation on the SSL debug file 
 
 Capture encrypted VoIP calls with Wireshark ? 
 
 How to get TLSv1.2 to decode 
 
 Problems decoding BLE capture from another Wireshark program 
 
 Help to read this trace 
 
 How to verify what protocol was used in an encrypted file transfer? 
 
 Application data isn't decrypted whether I choose spdy, data, http or tcp as protocol. 
 
 Is it possible that wireshark doesn't recognize protocol?