Unable to decrypt HTTPS TLSv1.2 traffic with wireshark (sha1WithRSAEncryption)

duflar
1 ●1 ●1 ●2

am trying to debug a server-client app and can't get wireshark to decrypt the traffic.

I tried Wireshark 2.4.5 and 2.6.2
I started the capture before launching my client and can see "Not using Sesion resumption" in the wireshark log
Wireshark recognizes the cipher as 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384
I've verified that they public key passed to mbedtls is a match to the corresponding private key given to wireshark's SSL tool
I get 0/(nil) in ssl_find_private_key_by_pubkey: lookup_result in wireshark
All the "using server decoder messages" are followed by "no decoder available"

ideas?

Pascal Quantin
5831 ●63 ●65

You indeed seem to satisfy the required conditions to use RSA private key files:

TLS_RSA_WITH_AES_256_GCM_SHA384 uses a RSA key exchange (instead of a DH key exchange).
No session resumption is in use.
You have supposedly captured the full handshake (starting with the Client Hello).

Since lookup(KeyID) is followed by lookup result: (nil), it suggests that the private key was not correctly matched. Can you see lines such as:

ssl_init private key file /path/to/your/private.key successfully loaded.

Before that line, a KeyID is printed. Does that match with the lookup(KeyID) entry?

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

1 Answer