gRPC traffic dissector with TLSv1.3

asked 2023-07-04 14:26:29 +0000

Stew4690
1 ●2

updated 2023-07-04 15:18:30 +0000

Hey, I am trying to read some gRPC traffic that has been encrypted over TLSv1.3, but so far I am not having any success. I am using a client and a server written in C++, and exporting the tls session key to a txt file which has the following format:
SERVER_HANDSHAKE_TRAFFIC_SECRET val
CLIENT_HANDSHAKE_TRAFFIC_SECRET val
EXPORTER_SECRET val
SERVER_TRAFFIC_SECRET_0 val
CLIENT_TRAFFIC_SECRET_0 val

I put this file in the field (Pre)-Master-Secret log filename of the TLS protocol settings. At that point I expect to be able to read the traffic but that is not the case. Is the format of key correct and/or am I misunderstanding something ? Did someone succeed in doing this ?

TLS logs:
Those suspicious line:
- tls13_load_secret Cannot find SERVER_TRAFFIC_SECRET_0, decryption impossible
- tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible

But I can't make any sense of this, since those variable are in the file.

Thanks ! I can put sample files if needed.

edit retag flag offensive close merge delete

Comments

TLS - Preference Settings - have you tried enabling the debug file and checking the output for errors?

Chuckc ( 2023-07-04 14:54:20 +0000 )edit

Just did that and updated post but I don't really understand why it doesn't find the variable.

Stew4690 ( 2023-07-04 15:19:22 +0000 )edit

There is a tls13-debug.txt attached to issue 12779: Add TLS 1.3 support

Does your log have the trying to use SSL keylog in "filename" entry?

Chuckc ( 2023-07-04 15:42:27 +0000 )edit

It has trying to use TLS keylog in "path to filename"

Stew4690 ( 2023-07-04 15:52:45 +0000 )edit

Can you share the debug log or the capture and key log file?
(Place them on a public file share and add the link in the question above)

Chuckc ( 2023-07-05 00:24:11 +0000 )edit

add a comment

Comments

It would help if you add the output of wireshark -v or Help->About Wireshark:Wireshark to the question.
The example I gave in the issues was from an older version of Wireshark so ssl vs tls.
There was a somewhat related issue with dfilters that might also need to be applied to the key log files.
18082: "dfilter" file on Windows adds carriage returns, and requires line feeds

Chuckc ( 2023-07-05 12:40:18 +0000 )edit

Are you still open to sharing the original files and Wireshark version info?
I modified the openssl_keylog.txt in issue 12779 to have CRLF EOL and the decode works fine in Wireshark 4.0.6.

Chuckc ( 2023-07-05 14:39:54 +0000 )edit

My bad

No, our bad. Given that text files may be written on Windows and read in a UN*X Wireshark, or written on a UN*X system and read in a Windows Wireshark, we need to be able to handle text files with LF-only line endings in the Windows version of Wireshark and handle text files with CR-LF line endings in the UN*X version(s) of Wireshark.

Please file an issue on this on the Wireshark issues list.

Guy Harris ( 2023-07-05 19:14:41 +0000 )edit

I will share the files when I get my other pc back. Also the issue might come from how the log file is created in C++, it might not be directly related to LF/CRLF, I will do more test when I have some time.

Stew4690 ( 2023-07-06 06:50:17 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

gRPC traffic dissector with TLSv1.3

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

gRPC traffic dissector with TLSv1.3 edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

gRPC traffic dissector with TLSv1.3