Ask Your Question

Revision history [back]

Unable to decrypt TLS using (Pre)-Master-Secret log and/or RSA Keys

I need to decrypt the exchanged data (TLSv1.2 packets with Diffie-Hellman key exchange) between two Web API on the same web server. I have executed all the steps described in the following article: https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/

I have tried using only the (Pre)-Master-Secret log, using only the RSA Keys and using both at the same time, but the result is always the same: at the Packet byte view the tabs underneath the view are not displayed. The Decrypted SSL data and the Uncompressed entity body tabs are not displayed as you can see in the following image:

image description

While I was expecting to see the tabs like those in the following image:

image description

In the SSL debug log file there is the following error:

dissect_ssl frame #93 (first time) 
packet_from_server: is from server - TRUE 
  conversation = 0E4B2598, ssl_session = 0E4B2C50 
  record: offset = 0, reported_length_remaining = 145 
ssl_try_set_version found version 0x0303 -> state 0x91 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 89, ssl state 0x91 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 85 bytes 
ssl_try_set_version found version 0x0303 -> state 0x91 
Calculating hash with offset 5 89 
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97 
trying to use TLS keylog in C:\Temp\ssl-keys.log 
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET ... 
    matched client_handshake 
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET ... 
    matched server_handshake 
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 ... 
    matched client_appdata 
  checking keylog line: SERVER_TRAFFIC_SECRET_0 ... 
    matched server_appdata 
  checking keylog line: EXPORTER_SECRET ... 
    matched exporter 
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET ... 
    matched client_handshake 
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET ... 
    matched server_handshake 
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 ... 
    matched client_appdata 
  checking keylog line: SERVER_TRAFFIC_SECRET_0 ... 
    matched server_appdata 
  checking keylog line: EXPORTER_SECRET ... 
    matched exporter 
tls13_load_secret TLS version 0x303 is not 1.3 
tls13_load_secret TLS version 0x303 is not 1.3 
  record: offset = 94, reported_length_remaining = 51 
dissect_ssl3_record: content_type 20 Change Cipher Spec 
decrypt_ssl3_record: app_data len 1, ssl state 0x197 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
ssl_dissect_change_cipher_spec Session resumption using Session ID 
trying to use TLS keylog in C:\Temp\ssl-keys.log 
ssl_finalize_decryption state = 0x197 
ssl_restore_master_key can't find master secret by Session ID 
ssl_restore_master_key can't restore master secret using an empty Session Ticket 
ssl_restore_master_key can't find master secret by Client Random 
  Cannot find master secret 
packet_from_server: is from server - TRUE 
ssl_change_cipher SERVER (No decoder found - retransmission?) 
  record: offset = 100, reported_length_remaining = 45 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 40, ssl state 0x197 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

Unable to decrypt TLS using (Pre)-Master-Secret log and/or RSA Keys

I need to decrypt the exchanged data (TLSv1.2 packets with Diffie-Hellman key exchange) between two Web API on the same web server. I have executed all the steps described in the following article: https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/

I have tried using only the (Pre)-Master-Secret log, using only the RSA Keys and using both at the same time, but the result is always the same: at the Packet byte view the tabs underneath the view are not displayed. The Decrypted SSL data and the Uncompressed entity body tabs are not displayed as you can see in the following image:

image description

While I was expecting to see the tabs like those in the following image:

image description

In the SSL debug log file there is the following error:

dissect_ssl frame #93 (first time) 
packet_from_server: is from server - TRUE 
  conversation = 0E4B2598, ssl_session = 0E4B2C50 
  record: offset = 0, reported_length_remaining = 145 
ssl_try_set_version found version 0x0303 -> state 0x91 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 89, ssl state 0x91 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 85 bytes 
ssl_try_set_version found version 0x0303 -> state 0x91 
Calculating hash with offset 5 89 
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97 
trying to use TLS keylog in C:\Temp\ssl-keys.log 
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET ... 
    matched client_handshake 
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET ... 
    matched server_handshake 
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 ... 
    matched client_appdata 
  checking keylog line: SERVER_TRAFFIC_SECRET_0 ... 
    matched server_appdata 
  checking keylog line: EXPORTER_SECRET ... 
    matched exporter 
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET ... 
    matched client_handshake 
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET ... 
    matched server_handshake 
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 ... 
    matched client_appdata 
  checking keylog line: SERVER_TRAFFIC_SECRET_0 ... 
    matched server_appdata 
  checking keylog line: EXPORTER_SECRET ... 
    matched exporter 
tls13_load_secret TLS version 0x303 is not 1.3 
tls13_load_secret TLS version 0x303 is not 1.3 
  record: offset = 94, reported_length_remaining = 51 
dissect_ssl3_record: content_type 20 Change Cipher Spec 
decrypt_ssl3_record: app_data len 1, ssl state 0x197 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder 
decrypt_ssl3_record: no decoder available 
ssl_dissect_change_cipher_spec Session resumption using Session ID 
trying to use TLS keylog in C:\Temp\ssl-keys.log 
ssl_finalize_decryption state = 0x197 
ssl_restore_master_key can't find master secret by Session ID 
ssl_restore_master_key can't restore master secret using an empty Session Ticket 
ssl_restore_master_key can't find master secret by Client Random 
  Cannot find master secret 
packet_from_server: is from server - TRUE 
ssl_change_cipher SERVER (No decoder found - retransmission?) 
  record: offset = 100, reported_length_remaining = 45 
dissect_ssl3_record: content_type 22 Handshake 
decrypt_ssl3_record: app_data len 40, ssl state 0x197 
packet_from_server: is from server - TRUE 
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

Thanks for your help.