Unsuccessful decryption of TLS v1.2.

asked 2018-06-04 18:39:33 +0000

feenyman99 gravatar image

Hi. I'm running Wireshark 2.6.1. I have a small .pcap that includes 26 packets: A TCP handshake, a "full" SSL session creation sequence (no session reuse, and including the Client Key Exchange), plus 6 Application Data packets.

I have configured my SSL preferences for decryption, but Wireshark does not decrypt the Application Data packets.

I was given a .pfx file "alleged" to be the right one, but I have my doubts. I have looked at the SSL Debug log, hoping to prove that the .pfx is the wrong one, but I'm unable to tell why the decryption attempt failed - I'm just not that skilled in interpreting those log files (yet!).

I apologize in advance, but I'm very reluctant to attach the trace file itself, due to very strict security constraints at my firm. But I will attach the SSL Debug log. And I will also mention that the Client Key Exchange is in frame 11.

2 questions...

Is the attached SSL Debug log enough for someone on this forum to diagnose why decryption failed?

Is there documentation on the many SSL Debug log messages, which would help me to get better at answering this type of question myself?

Thanx much. C:\fakepath\SSLDebugCLEANSED.txt feenyman99

edit retag flag offensive close merge delete



I have more information that may confirm my suspicion that I was given the wrong .PFX. Here it is...

I used OpenSSL to convert the .PFX to a .CER. Inspecting that, I see that the "friendlyName" is x.y.z.com. Then, in Wireshark, I looked at the Packet Bytes for the Client Hello, and I find w.y.z.com. Can someone confirm that this proves that I was given the wrong .PFX?

Also... Is there a message in the SSL Debug log that would also have proved the same thing?



feenyman99 gravatar imagefeenyman99 ( 2018-06-05 11:19:56 +0000 )edit