Ask Your Question
0

VoIP TLS Sessions are not decrypted, even with private Key

asked 2018-06-28 13:53:34 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I'm trying to decrypte a SBC vs. Skype for Business (MediationServer) connection. The Server Private Key is loaded into wireshark and SSL ist set to IP Address of the Server (SBC) --> SBC is The Server, because the TLS Handshake starts with a Client Hello form Skype for Business.

The Debugfile is attached --> Is pasted below...

Skype for Business uses Port 5067 (SIP Trunk) but still I cannot decrypt the File. Did I do something wrong?

I have installed Wireshark V2.6.1


******************************************************************
Wireshark SSL debug log 

Wireshark version: 2.6.1 (v2.6.1-0-g860a78b3)
GnuTLS version:    3.4.11
Libgcrypt version: 1.7.6

KeyID[20]:
| b5 26 c9 74 2e a0 dx cx bx 1x 2x 26 6f 18 18 62 |.&.t......'&o..b|
| 3e x7 54 90                                     |>.T.            |
ssl_init private key file C:xxxxxxxx/test.pem successfully loaded.

dissect_ssl enter frame #3 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000270F64E4B50, ssl_session = 00000270F64E5560
  record: offset = 0, reported_length_remaining = 174
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 169, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 165 bytes, remaining 174 
Calculating hash with offset 5 169
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000270F64E4B50, ssl_session = 00000270F64E5560
  record: offset = 0, reported_length_remaining = 1460
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 49, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 45 bytes, remaining 54 
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 49
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
  record: offset = 54, reported_length_remaining = 1406
  need_desegmentation: offset = 54, reported_length_remaining = 1406

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000270F64E4B50, ssl_session = 00000270F64E5560
  record: offset = 0, reported_length_remaining = 4177
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4172, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 4168 bytes, remaining 4177 
Calculating hash with offset 5 4172
lookup(KeyID)[20]:
| 13 16 e1 a5 3c 5b 84 5c 57 06 03 09 61 98 26 65 |....<[.\W...a.&e|
| 81 ed f3 2c                                     |...,            |
ssl_find_private_key_by_pubkey: lookup result: 0000000000000000

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000270F64E4B50, ssl_session = 00000270F64E5560
  record: offset = 0, reported_length_remaining = 149
  need_desegmentation: offset = 0, reported_length_remaining = 149

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000270F64E4B50, ssl_session = 00000270F64E5560
  record: offset = 0, reported_length_remaining = 532
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 527, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-06-28 17:54:19 +0000

Jaap gravatar image

Well, this part sticks out like a sore thumb:

ssl_set_cipher found CIPHER 0x009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
edit flag offensive delete link more

Comments

I think I get it... The Problem is that DHE ( ephemeral Diffie-Hellman ) is selected. To do the decryption, I have to get the Master secret. Now how di I get that from the Skype for Business Mediationserver?

RL79 gravatar imageRL79 ( 2018-06-28 18:46:29 +0000 )edit

That would a question for another forum I'm afraid.

Jaap gravatar imageJaap ( 2018-06-28 19:43:15 +0000 )edit

Hi,

Did you succeed decrypting sip tls traffic with skype for business and wireshark? i need help regarding this.

Pape

jasonbourne gravatar imagejasonbourne ( 2024-04-18 08:58:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-06-28 13:53:34 +0000

Seen: 770 times

Last updated: Apr 18