Failure to "decode as" for LDAPS
Hello
I recently did a capture for LDAPS traffic and I have the sslkeys file for this session. Wireshark is decrypting the packets, however even if I set the traffic as "decode as" to LDAP, it doesn't show me the data as the normal LDAP view.
I did some googling and other people had a similar issue but were able to fix it. For example: https://ask.wireshark.org/question/25...
Could this be a bug with "Decode as" for LDAP protocol?
image:
PS: Im using wireshark 64 bit 3.6.1
Yes I checked, as you can see from the image, Wireshark identifies by himself the Application Data Protocol. The packet view is always the same regardless of the "decode as" setting
As you can see, that field has "[]" around the name, this indicates its synthesized by Wireshark and can be set by a number of methods, often because of the port the TLS session is running on. This does not indicate a successful decryption.
You should configure Wireshark to create a TLS debug file (TLS preferences) and post that here.
I tried to create the TLS debug file, however the file is always empty. I'm using a "pre master secret log file" instead of RSA key list, could it be because of that?
What I can confirm is that I see the Client Random of the particular connection in the sslkeys file. I can also see that the TLS handshake contains the Client Key Exchange and the Server Key Exchange. At the end of the stream I see an Encrypted Alert, suggesting that the stream is indeed not decrypted - which sounds weird to me.
There are additional encrypted HTTPS stream on this capture, which are successfully decrypted. I have also validated the same as above.
I've never come across the TLS debug file not being created when required. The debug log doesn't care how the keying material is provided.
HTTPS isn't LDAPS. Are you capturing on the LDAP client, if so what application is making the connection to the LDAP server? If it's regular Windows apps or the OS, it's likely they're using SChannel for TLS which does NOT generate keying material for decryption.
The file is created, however no data is present. I'm capturing on a Netscaler, which can handle many types of protocols, like HTTPS and LDAP/LDAPS. So I have both protocols in the same capture, and also the keys for these connections. Note, I'm actually using the portable version of Wireshark, do you think that could have something to do with the debug file not outputing anything?
Can't think of any reason for the portable package causing anything like this, it's the same binary, just packaged a different way.
Maybe worth a sanity check, using the capture and keys file from the SSL sample captures page, e.g. the ldap-ssl one, check that you can see decrypted traffic AND that you get a debug log output. Note for the ldap-ssl capture, you have to open the capture file properties and copy the CLIENT_RANDOM string comment into a file and use that for the pre-master secret file.
I can see the traffic beeing decrypted everytime. On the original system the file is not generated. I have tested with the ldap-ssl on my personal machine, with 3.6.0 and 3.6.1 (installed and portable) and the file gets generated. I will try to move my ldaps capture to a different system and test there. Will update soon.
Hi Grahamb, I moved to another system and there I can see the TLS debug file being written. Now, I do have to apologize to you. I revisited all the capture files that I made yesterday and I can't find the corresponding client random for any LDAPS stream. I'm sure I checked and found it yesterday, hence why I opened the question. I must have made a mistake at some point. I performed additional captures now and still I don't see the corresponding client random in it. I'm sorry I lost your time, but I would like to thank you very much for the attention and help you provided. Wish you a pleasant day, and again, accept my apologies.