TLSv1.2 traffic not getting decrypted

asked 2018-11-06 02:46:05 +0000

vik
1 ●2

updated 2018-11-06 17:09:33 +0000

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●951 ●227 https://www.wireshark.org

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a load balancer. I have keys for the RSA load balancer/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http loadbalancer-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The cipher chosen by the server is - Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

ssl debug log

Is it because of TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384?

dissect_ssl enter frame #2439 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x11b094450, ssl_session = 0x11b094e80
  record: offset = 0, reported_length_remaining = 79
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 74
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0x0035 TLS_RSA_WITH_AES_256_CBC_SHA -> state 0x17
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3


dissect_ssl enter frame #2491 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x11b09dae0, ssl_session = 0x11b09e760
  record: offset = 0, reported_length_remaining = 86
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 81, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 81
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 -> state 0x17
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3

edit retag flag offensive close merge delete

add a comment