I originally asked this question on another forum, but was redirected here, maybe someone here can help me. Here is the original question, so that no need for me to retype it:
https://security.stackexchange.com/qu...
Please take a look, the currently one and only answer from 'blabla_trace' suggested I try my luck here as well.
I see no problem with the decryption:
$ tshark -o tls.keylog_file:ssl-keys.log -r wireshark.pcapng -Y "tls.record.content_type in {20..22}" -T fields -e tcp.stream -e frame.number -e _ws.col.Info | sort -n
11 63 Client Hello
11 65 Server Hello, Change Cipher Spec, Encrypted Extensions, Finished
11 66 Change Cipher Spec, Finished
11 70 SETTINGS[0], WINDOW_UPDATE[0]
18 111 Client Hello
18 172 Server Hello, Certificate, Server Hello Done
18 182 Alert (Level: Fatal, Description: Certificate Unknown)
19 112 Client Hello
19 151 Server Hello, Certificate, Server Hello Done
19 162 Alert (Level: Fatal, Description: Certificate Unknown)
20 116 Client Hello
20 194 Server Hello, Certificate, Server Hello Done
20 209 Alert (Level: Fatal, Description: Certificate Unknown)
21 210 Client Hello
21 273 Server Hello, Certificate, Server Hello Done
21 276 Client Key Exchange, Change Cipher Spec, Finished
21 298 Change Cipher Spec
21 374 Finished
22 219 Client Hello
22 259 Server Hello, Certificate, Server Hello Done
22 260 Client Key Exchange, Change Cipher Spec, Finished
22 313 Change Cipher Spec
22 373 Finished
23 224 Client Hello
23 292 Server Hello, Certificate, Server Hello Done
23 294 Client Key Exchange, Change Cipher Spec, Finished
23 349 Change Cipher Spec
23 380 Finished
24 1923 Client Hello
24 1925 Server Hello
24 1926 Alert (Level: Fatal, Description: Certificate Unknown)
24 1930 Change Cipher Spec, Finished
25 1942 Client Hello
25 1947 Server Hello
25 2059 Change Cipher Spec, Finished
25 2060 Change Cipher Spec, Finished
25 4955 Alert (Level: Warning, Description: Close Notify)
34 2378 Client Hello
34 2381 Server Hello
34 2382 Alert (Level: Fatal, Description: Certificate Unknown)
34 2384 Change Cipher Spec, Finished
35 2389 Client Hello
35 2392 Server Hello
35 2398 Change Cipher Spec, Finished
35 2399 Change Cipher Spec, Finished
35 4936 Alert (Level: Warning, Description: Close Notify)
36 3053 Encrypted Alert
$
All TLS sessions that have a TLS handshake are decrypted, as can be seen by the "finished" handshake message at the end of each TLS handshake.
However, traffic on port 8443 is not automatically dissected as HTTP once it is decrypted. You need to add 8443 to the "SSL/TLS Ports" list in the HTTP protocol preferences.
After adding 8443 to HTTPS list, I am now able to decrypt HTTPS traffic between my laptop and the application server hosting the webpage which is used to launch WebRTC calls. So for TCP, it's all fine. I'm still not sure about UDP though. The logs you mention say it decrypts everything it can, but it seems it is unable to decrypt all. For my new capture, I can see this:
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 97
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random
And ...
Do I understand your SE post correctly that you would like to decrypt the RTP session on UDP port 16004? The DTLS client-hello has a random value that is not listed in your ssl-keys.log file. Is the WebRTC played with a plugin in Chrome? If so, it might not support the SSLKEYLOGFILE variable to log pre-master secrets to.
You will need to fix the logging of the pre-master secret for the DTLS sessions of the WebRTC player first before Wireshark is able to decrypt anything for this session.
Asked: 2019-05-29 11:51:55 +0000
Seen: 1,814 times
Last updated: May 29 '19
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
