Changing the tls dissector

asked 2024-07-08 20:29:50 +0000

Prakash gravatar image

updated 2024-07-08 21:01:05 +0000

Chuckc gravatar image

I have pcap file for TLS 1.2. When I try to decrypt it, by default it take to 1.3 how to change the dissector to 1.2

 dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - TRUE
  conversation = 000001B5EF40A090, ssl_session = 000001B5EF40AC00
  record: offset = 0, reported_length_remaining = 1218
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1162, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 1158 bytes
Calculating hash with offset 5 1162
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
  record: offset = 1167, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x497
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use TLS keylog in C:\Users\Jumpbox1\Desktop\cakey670.pem
ssl_load_keyfile failed to open SSL keylog
ssl_finalize_decryption state = 0x497
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER (No decoder found - retransmission?)
  record: offset = 1173, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x497
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
edit retag flag offensive close merge delete

Comments

How are you collecting the keys and telling Wireshark how to use them?

trying to use TLS keylog in C:\Users\Jumpbox1\Desktop\cakey670.pem
ssl_load_keyfile failed to open SSL keylog
Chuckc gravatar imageChuckc ( 2024-07-08 21:08:58 +0000 )edit

Based on the documentation.. the keylog file is needed for 1.3. I am using TLS 1.2. It is a fixed, I cannot make changes to the code. So is there way to decrypt without key log file.

Prakash gravatar imagePrakash ( 2024-07-09 12:41:25 +0000 )edit

How to get a key file, for TLS 1.2. I have the certificates, is there way to generate key log file?

Prakash gravatar imagePrakash ( 2024-07-09 13:04:59 +0000 )edit

The Wireshark wiki (Transport Layer Security (TLS)) explains where which keys can be used and how to capture a Key log file.

Chuckc gravatar imageChuckc ( 2024-07-09 13:14:25 +0000 )edit

I am decrypting non Web based application. In the packet capture, it throws the error as "There are no TLS Session Keys to save".

Prakash gravatar imagePrakash ( 2024-07-09 17:06:40 +0000 )edit
add a comment