TLS/SSL - Should this be decryptable?
Hi All,
I'm trying to troubleshoot an application issue, but the application talks over TLS on a non standard port. I think this traffic should be decrypt-able by Wireshark as it isn't ephemeral DH (i.e. doesn't say DHE in the cipher suite spec, just DH instead) but maybe that can't be decrypted with an RSA key either?
I have the server side private key available, uploaded in PEM.
The SSL debug has some suspicious lines in it, can't work out if it's because it's not possible in wireshark, or if I screwed up my setup somewhere?
- decrypt_ssl3_record: no decoder available
- ssl_set_cipher found CIPHER 0x003A TLS_DH_anon_WITH_AES_256_CBC_SHA -> state 0x17
- ssl_load_keyfile dtls/ssl.keylog_file* is not configured!
The capture is taken from the very start of the handshake, frame 24 is client hello, frame 26 is server hello + key exchange etc.
Any ideas if this is just not possible to read in Wireshark, or have misconfigured something? Would this be using forward secrecy and therefore need an ssl.keylog (which unlike browsers, the application has no convenient way of getting at as far as I know)...?
dissect_ssl enter frame #24 (first time)
packet_from_server: is from server - FALSE
conversation = 0000023FCDC30480, ssl_session = 0000023FCDC310B0
record: offset = 0, reported_length_remaining = 58
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 53, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 49 bytes, remaining 58
Calculating hash with offset 5 53
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #26 (first time)
packet_from_server: is from server - TRUE
conversation = 0000023FCDC30480, ssl_session = 0000023FCDC310B0
record: offset = 0, reported_length_remaining = 595
ssl_try_set_version found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 53, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 49 bytes, remaining 58
ssl_try_set_version found version 0x0301 -> state 0x11
Calculating hash with offset 5 53
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0x003A TLS_DH_anon_WITH_AES_256_CBC_SHA -> state 0x17
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_load_secret TLS version 0x301 is not 1.3
tls13_load_secret TLS version 0x301 is not 1.3
record: offset = 58, reported_length_remaining = 537
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 523, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 63 length 519 bytes, remaining 586
Calculating hash with offset 63 523
record: offset = 586, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 591 length 0 bytes, remaining 595
Calculating hash with offset 591 4
Have you checked this?