Revision history [back]

Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is configured with pre-shared key as described in the documentation in https://www.zabbix.com/documentation/4.0/manual/encryption/using_pre_shared_keys .

I have configured Wireshark 3.2.1 (or tshark 3.2.1) to use the configured TLS PSK. I'm not able to see the traffic unencrypted however. What am I missing here?

The example capture file is in https://my.syncplicity.com/share/daz6amx79kbifij/zabbix-tls-agent. The PSK is "dac86d7afb589557e876f16b59b8b5b4". PSK Identity is "psk" in Zabbix but I don't think that's relevant for TLS decryption in Wireshark. (It is shown plaintext in frame 4 in tls.handshake.extensions.psk.identity.identity anyway)

For example:

tshark -r zabbix-tls-agent.pcap -Y "frame.number==28" -V -O tls -o tls.psk:dac86d7afb589557e876f16b59b8b5b4

Frame 28: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: VMware_fa:68:50 (00:0c:29:fa:68:50), Dst: VMware_3e:95:31 (00:0c:29:3e:95:31)
Internet Protocol Version 4, Src: 192.168.7.10, Dst: 192.168.7.12
Transmission Control Protocol, Src Port: 60130, Dst Port: 10050, Seq: 433, Ack: 407, Len: 24
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Application Data
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 19
        Encrypted Application Data: 6e493a8a471ddd55eb82d095f02d88e037db62

What puzzles me is the output of "tshark -G userprefs":

# Pre-Shared-Key as HEX string. Should be 0 to 16 bytes.
# A string
#tls.psk:

Where is that 16-byte limit coming from?

Markku

Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is configured with pre-shared key as described in the documentation in https://www.zabbix.com/documentation/4.0/manual/encryption/using_pre_shared_keys .

I have configured Wireshark 3.2.1 (or tshark 3.2.1) to use the configured TLS PSK. I'm not able to see the traffic unencrypted however. What am I missing here?

The example capture file is in https://my.syncplicity.com/share/daz6amx79kbifij/zabbix-tls-agent. The PSK is "dac86d7afb589557e876f16b59b8b5b4". PSK Identity is "psk" in Zabbix but I don't think that's relevant for TLS decryption in Wireshark. (It is shown plaintext in frame 4 in tls.handshake.extensions.psk.identity.identity anyway)

For example:

tshark -r zabbix-tls-agent.pcap -Y "frame.number==28" -V -O tls -o tls.psk:dac86d7afb589557e876f16b59b8b5b4

Frame 28: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: VMware_fa:68:50 (00:0c:29:fa:68:50), Dst: VMware_3e:95:31 (00:0c:29:3e:95:31)
Internet Protocol Version 4, Src: 192.168.7.10, Dst: 192.168.7.12
Transmission Control Protocol, Src Port: 60130, Dst Port: 10050, Seq: 433, Ack: 407, Len: 24
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Application Data
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 19
        Encrypted Application Data: 6e493a8a471ddd55eb82d095f02d88e037db62

What puzzles me as well is the output of "tshark -G userprefs":

# Pre-Shared-Key as HEX string. Should be 0 to 16 bytes.
# A string
#tls.psk:

Where is that 16-byte limit coming from?

Update: TLS debug file (-o tls.debug_file:debug.txt) says:

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 312
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 307, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 303 bytes
Calculating hash with offset 5 307
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 258
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 161, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 157 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1303 TLS_CHACHA20_POLY1305_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 166, reported_length_remaining = 92
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 172, reported_length_remaining = 86
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 23, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 200, reported_length_remaining = 58
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 53, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

where "tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible" looks important. What does it mean in practice, is there something that can be done about it?

Also the numerous "decrypt_ssl3_record: no decoder available" messages look meaningful.

Markku