Ask Your Question
0

decrypt TLS (cipher ECDHE ) using SSLKEYLOGFILE

asked 2018-05-18 09:05:53 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hi !

I want to decrypt TLS frames with wireshark. I saw with the server Hello that ECDHE is used so RSA key is useless.

But even with SSLKEYLOGFILE decryption don't work.

Here is an extract of my ssl debug file :

dissect_ssl enter frame #355 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x55b3f6b2d370, ssl_session = 0x55b3f6b2e970
  record: offset = 0, reported_length_remaining = 2658
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 323, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 319 bytes, remaining 328 
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 323
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0xC02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -> state 0x97
ssl_dissect_hnd_hello_ext_alpn: changing handle (nil) to 0x55b3f385b390 (http2)trying to use SSL keylog in /home/lsalamani/sslkeylog.log
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
  record: offset = 328, reported_length_remaining = 2330
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 2197, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 333 length 2193 bytes, remaining 2530 
Calculating hash with offset 333 2197
lookup(KeyID)[20]:
| d4 88 42 e9 5d 7a c0 36 9d 5b d2 65 8f f4 0c 54 |..B.]z.6.[.e...T|
| 54 d7 0f 30                                     |T..0            |
ssl_find_private_key_by_pubkey: lookup result: (nil)
  record: offset = 2530, reported_length_remaining = 128
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 114, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 2535 length 110 bytes, remaining 2649 
Calculating hash with offset 2535 114
  record: offset = 2649, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 2654 length 0 bytes, remaining 2658 
Calculating hash with offset 2654 4
edit retag flag offensive close merge delete

Comments

Your ssl dbg log is virtually unreadable due to the formatting. Can you edit your question and simply paste the contents of the log file in, highlight it and then click the code button (101010) to format it as code?

grahamb gravatar imagegrahamb ( 2018-05-18 09:30:18 +0000 )edit

Thanks to the tips ! It's done

leandre gravatar imageleandre ( 2018-05-18 09:33:08 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-05-18 11:33:10 +0000

leandre gravatar image

Apparently it was a problem with chromium which don't update the sslkeylogfile. With Chrome it seems to work fine !

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-05-18 09:05:53 +0000

Seen: 2,110 times

Last updated: May 18 '18