Fail to decrypt proxied/tunneled TLS traffic?
Hi everyone, I'm working on some proxy protocol dissectors written in C. These proxy protocols mainly ship the normal TLS traffic as a tunnel. But I found that when I used the sslkeylog file, the TLS decryption would not work properly as normal. For example, I have a Socks 5 capture with TLS secret injected. When I disable Socks 5, the TLS decryption works fine, like (sorry my karma is not enough to post an image):
TLS Client Hello
TLS Server Hello
...following TLS handshake
HTTP Data <--- Successful decryption
...
However, if I selected Decode As Socks, the decryption failed as no secrets were provided.
Socks 5 Request
...following Socks 5 handshake
TLS Client Hello
...following TLS handshake
Encrypted Data <-- Nothing get decrypted
...
The same thing happens for other proxy dissectors I write (I previously asked similar question), and Socks 5 is implemented officially as a Wireshark built-in dissector. Therefore, I thought this might be some common issue for proxied/tunneled TLS traffic.
I wonder if there is something I could work around, or I missed some docs. Any suggestion is appreciated!
Wireshark Version is Version 4.2.5 (v4.2.5-0-g4aa814ac25a1).