Ask Your Question
0

(Pre)-Master-Secret TLS decryption not working on Mac

asked 2023-06-18 08:37:52 +0000

omlet gravatar image

Hello

I'm trying to decrypt TLSv1.2 with reference to the following page.

Using the (Pre)-Master-Secret https://wiki.wireshark.org/TLS

My Environment is following.

Mac : Ventura 13.3.1(22E261) Chrome : 114.0.5735.133(Official Build) (x86_64) Wireshark : Version 4.0.6 (v4.0.6-0-gac2f5a01286a).

Chrome constantly updates ssl-key-log file.

I set SSLKEYLOGFILE path as "(Pre)-Master-Secret log filename" in Wireshark.

But TLS decryption is not working.

The following, encrypted display will appear.

Encrypted Application Data: 7e7b734de5867a290b3429a7794766752e8dfc28f1efbd4aeafeb0c6aa94dc24ee0a9f4b…

Is there any way to verify that Wireshark is referencing the SSLKEYLOGFILE and performing the decryption ?

edit retag flag offensive close merge delete

Comments

Set the TLS debug file that is mentioned in the Preferences section on the wiki page.

Chuckc gravatar imageChuckc ( 2023-06-18 10:12:52 +0000 )edit

Set the TLS debug file that is mentioned in the Preferences section on the wiki page.

I've got following message in TLS debug file.

dissect_ssl enter frame #23294 (first time)
    packet_from_server: is from server - FALSE
    conversation = 0x7f95796645d0, ssl_session = 0x7f9579664d30
    record: offset = 0, reported_length_remaining = 57
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 52, ssl state 0x10
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
omlet gravatar imageomlet ( 2023-06-25 03:43:03 +0000 )edit

Thank you very much. Resolved.

omlet gravatar imageomlet ( 2023-06-25 04:08:17 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2023-06-19 12:26:52 +0000

SYN-bit gravatar image

Did you:

  1. Close ALL Chrome windows before starting the capture?
  2. Start Chrome from the terminal window where you set the SSLKEYLOGFILE environment variable?

If you select the packet with the encrypted Application Data, and then apply the filter tcp.stream==${tcp.stream}, do you see the full TLS handshake? Does the handshake show a "Finished" from both sides or does it show "encrypted handshake" message from both sides?

If you want to check if the functionality actually works, you can download a trace of mine from https://www.cloudshark.org/captures/1... and you will find the TLS session key in the capture file comments (see: capture file properties).

edit flag offensive delete link more

Comments

Thank you very much. Resolved.

I mistakenly thought that the Protocol was not compounded when I saw the message "Encrypted Application Data" in the TLS record.

When I looked at the record with protocol HTTP2, I was able to view the decrypted message.

omlet gravatar imageomlet ( 2023-06-25 04:07:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-06-18 08:37:52 +0000

Seen: 887 times

Last updated: Jun 25 '23