Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2021-06-01 16:13:47 +0000

Const gravatar image

Cannot decrypt HTTP over TLS

I tried to configure Wireshark according to https://wiki.wireshark.org/TLS to decrypt HTTPS but it doesn't work.

I extracted private key from the certificate as a PEM file and added it via Edit -> Preferences -> RSA Keys. I'm using cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256. But when I open pcap file the encrypted data remains encrypted.

The traces are collected on the client side. I can see Client Hello and Server Hello, I see the selected cipher suite but after that there is only Application Data instead of decoded HTTP.

Wireshark SSL debug log

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0) GnuTLS version: 3.6.3 Libgcrypt version: 1.8.3

dissect_ssl enter frame #4 (first time) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 161 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 156, ssl state 0x00 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes Calculating hash with offset 5 156 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 90 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 85, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes ssl_try_set_version found version 0x0303 -> state 0x91 Calculating hash with offset 5 85 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher found CIPHER 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 -> state 0x97 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret TLS version 0x303 is not 1.3 tls13_load_secret TLS version 0x303 is not 1.3

dissect_ssl enter frame #8 (first time) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x197 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available ssl_dissect_change_cipher_spec Session resumption using Session ID ssl_load_keyfile dtls/tls.keylog_file is not configured! ssl_finalize_decryption state = 0x197 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't restore master secret using an empty Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER

dissect_ssl enter frame #10 (first time) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 85 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 80, ssl state 0x197 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #12 (first time) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x197 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available ssl_load_keyfile dtls/tls.keylog_file is not configured! ssl_finalize_decryption state = 0x197 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT

dissect_ssl enter frame #13 (first time) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 85 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 80, ssl state 0x197 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #14 (first time) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 464, ssl state 0x197 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #15 (first time) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 1189 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1184, ssl state 0x197 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #18 (first time) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 501 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 496, ssl state 0x197 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #19 (first time) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 64, ssl state 0x197 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #22 (first time) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 00000214164CA590 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 64, ssl state 0x197 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 161 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes

dissect_ssl enter frame #6 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 90 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes

dissect_ssl enter frame #8 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #10 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 85 dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #13 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 85 dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #14 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #15 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1189 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #18 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 501 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #19 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #22 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #4 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 161 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes

dissect_ssl enter frame #6 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 90 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes

dissect_ssl enter frame #8 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #10 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 85 dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #13 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 85 dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #14 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #15 (already visited) packet_from_server: is from server - FALSE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1189 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #18 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 501 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #19 (already visited) packet_from_server: is from server - TRUE conversation = 00000214164C9A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 69 dissect_ssl3_record: content_type 21 Alert

click to hide/show revision 2
None

updated 2021-06-01 16:39:28 +0000

grahamb gravatar image

Cannot decrypt HTTP over TLS

I tried to configure Wireshark according to https://wiki.wireshark.org/TLS to decrypt HTTPS but it doesn't work.

I extracted private key from the certificate as a PEM file and added it via Edit -> Preferences -> RSA Keys. I'm using cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256. But when I open pcap file the encrypted data remains encrypted.

The traces are collected on the client side. I can see Client Hello and Server Hello, I see the selected cipher suite but after that there is only Application Data instead of decoded HTTP.

Wireshark SSL debug log 
 
 Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3
 
1.8.3


dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 156, ssl state 0x00
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes
Calculating hash with offset 5 156
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01
 
0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 90
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 85, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 85
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
 
1.3

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Session resumption using Session ID
ssl_load_keyfile dtls/tls.keylog_file is not configured!
ssl_finalize_decryption state = 0x197
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
 
SERVER

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 80, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
ssl_load_keyfile dtls/tls.keylog_file is not configured!
ssl_finalize_decryption state = 0x197
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
 
CLIENT

dissect_ssl enter frame #13 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 80, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 469
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 464, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #15 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 1189
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1184, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 501
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 496, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 64, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 64, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
 
available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes
 
bytes

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 90
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes
 
bytes

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
 
Spec

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
 
Handshake

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
 
Spec

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
 
Handshake

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 469
dissect_ssl3_record: content_type 23 Application Data
 
Data

dissect_ssl enter frame #15 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1189
dissect_ssl3_record: content_type 23 Application Data
 
Data

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 501
dissect_ssl3_record: content_type 23 Application Data
 
Data

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
 
Alert

dissect_ssl enter frame #22 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
 
Alert

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes
 
bytes

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 90
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes
 
bytes

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
 
Spec

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
 
Handshake

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
 
Spec

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
 
Handshake

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 469
dissect_ssl3_record: content_type 23 Application Data
 
Data

dissect_ssl enter frame #15 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1189
dissect_ssl3_record: content_type 23 Application Data
 
Data

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 501
dissect_ssl3_record: content_type 23 Application Data
 
Data

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
Alert

Cannot decrypt HTTP over TLS

I tried to configure Wireshark according to https://wiki.wireshark.org/TLS to decrypt HTTPS but it doesn't work.

I extracted private key from the certificate as a PEM file and added it via Edit -> Preferences -> RSA Keys. I'm using cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256. But when I open pcap file the encrypted data remains encrypted.

The traces are collected on the client side. I can see Client Hello and Server Hello, I see the selected cipher suite but after that there is only Application Data instead of decoded HTTP.

EDIT: On the provided link I noticed this statement:

"The private key matches the server certificate. It does not work with the client certificate, nor the Certificate Authority (CA) certificate."

What does it mean? The private key I'm using is extracted from the client certificate. Can it be an issue? I don't have access to the server private key.

Wireshark SSL debug log 

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3


dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 156, ssl state 0x00
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes
Calculating hash with offset 5 156
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 90
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 85, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 85
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Session resumption using Session ID
ssl_load_keyfile dtls/tls.keylog_file is not configured!
ssl_finalize_decryption state = 0x197
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 80, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
ssl_load_keyfile dtls/tls.keylog_file is not configured!
ssl_finalize_decryption state = 0x197
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT

dissect_ssl enter frame #13 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 80, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 469
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 464, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #15 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 1189
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1184, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 501
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 496, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 64, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 64, ssl state 0x197
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 90
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 469
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #15 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1189
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 501
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #22 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 90
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 469
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #15 (already visited)
packet_from_server: is from server - FALSE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1189
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 501
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 21 Alert
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2