Ask Your Question

Revision history [back]

decrypt tls 1.2 issue

(Windows Server 2019 + Wireshark v3.4.8-0-g3e1ffae201b8 )

Trying to use the environment variable way to decrypt TLS1.2 traffic. Unfortunately whilst it can read and match keys it has other issues. Debug log sample attached.

I already disabled Diffie-Hellman and all other weak ciphers. Rebooted...etc...

dissect_ssl enter frame #2495 (first time) packet_from_server: is from server - FALSE conversation = 0000028F24C4C580, ssl_session = 0000028F24C53240 record: offset = 0, reported_length_remaining = 326 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 262, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes Calculating hash with offset 5 262 trying to use TLS keylog in C:\Wireshark_Logs\SSL_KEYDUMP.log ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret pre master encrypted[256]: | 16 31 97 70 42 3f e0 e2 e9 b8 11 a1 56 0f 66 1e |.1.pB?......V.f.| | aa 84 8f 39 04 83 c4 d7 e3 bb 27 7f e3 e4 3a 5a |...9......'...:Z| | 8b f2 ea 0d 2c 8b 25 a4 14 43 05 bb 30 28 e1 10 |....,.%..C..0(..| | 47 95 53 84 85 01 d7 fa 56 a1 a7 6d 26 bf 66 df |G.S.....V..m&.f.| | 22 5a a6 5b 54 ba 76 05 8a 8e 00 99 7c bd 77 10 |"Z.[T.v.....|.w.| | 72 89 4e b1 e2 b9 7c 1e 7d 3c 7c 4d 56 da 8b 04 |r.N...|.}<|MV...| | 47 7f 18 7f 60 db 53 4b 9d 7b ed 1e 0a ae 89 8e |G...`.SK.{......| | 45 37 33 20 bb ce db 73 33 46 c1 48 16 07 57 14 |E73 ...s3F.H..W.| | 26 ba 65 77 16 4e 05 db 69 0f 41 34 e4 92 6f e0 |&.ew.N..i.A4..o.| | ed 89 17 e6 11 d9 7e 0a 87 89 2c d2 ca f9 23 a2 |......~...,...#.| | 09 ca 0b 5b 07 33 73 94 04 a8 3d ea 13 7c 99 58 |...[.3s...=..|.X| | 35 e8 dd c4 1b 32 9f 6f 92 0a e4 18 2f 9e bc 43 |5....2.o..../..C| | a5 66 ed 09 ce 5d 29 ff c1 70 ac 34 5f ed 84 80 |.f...])..p.4_...| | f5 56 7c a4 97 83 f7 f5 a3 dc 09 d6 f0 89 04 69 |.V|............i| | 9d b3 14 15 b8 a1 c4 8e 8a b0 9e db 16 38 91 d9 |.............8..| | 62 79 84 fb 37 e4 f3 ed 8a 23 4e 9a d0 2d 62 f1 |by..7....#N..-b.| ssl_decrypt_pre_master_secret: RSA_private_decrypt ssl_decrypt_pre_master_secret: decryption failed: -49 (No certificate was found.) ssl_generate_pre_master_secret: can't decrypt pre-master secret ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret dissect_ssl3_handshake can't generate pre master secret record: offset = 267, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available trying to use TLS keylog in C:\Wireshark_Logs\SSL_KEYDUMP.log ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT (No decoder found - retransmission?) record: offset = 273, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 48, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

click to hide/show revision 2
None

updated 2021-09-23 20:03:07 +0000

SYN-bit gravatar image

decrypt tls 1.2 issue

(Windows Server 2019 + Wireshark v3.4.8-0-g3e1ffae201b8 )

Trying to use the environment variable way to decrypt TLS1.2 traffic. Unfortunately whilst it can read and match keys it has other issues. Debug log sample attached.

I already disabled Diffie-Hellman and all other weak ciphers. Rebooted...etc...

dissect_ssl enter frame #2495 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000028F24C4C580, ssl_session = 0000028F24C53240
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes
Calculating hash with offset 5 262
trying to use TLS keylog in C:\Wireshark_Logs\SSL_KEYDUMP.log
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
pre master encrypted[256]:
| 16 31 97 70 42 3f e0 e2 e9 b8 11 a1 56 0f 66 1e |.1.pB?......V.f.|
| aa 84 8f 39 04 83 c4 d7 e3 bb 27 7f e3 e4 3a 5a |...9......'...:Z|
| 8b f2 ea 0d 2c 8b 25 a4 14 43 05 bb 30 28 e1 10 |....,.%..C..0(..|
| 47 95 53 84 85 01 d7 fa 56 a1 a7 6d 26 bf 66 df |G.S.....V..m&.f.|
| 22 5a a6 5b 54 ba 76 05 8a 8e 00 99 7c bd 77 10 |"Z.[T.v.....|.w.|
| 72 89 4e b1 e2 b9 7c 1e 7d 3c 7c 4d 56 da 8b 04 |r.N...|.}<|MV...|
| 47 7f 18 7f 60 db 53 4b 9d 7b ed 1e 0a ae 89 8e |G...`.SK.{......|
| 45 37 33 20 bb ce db 73 33 46 c1 48 16 07 57 14 |E73 ...s3F.H..W.|
| 26 ba 65 77 16 4e 05 db 69 0f 41 34 e4 92 6f e0 |&.ew.N..i.A4..o.|
| ed 89 17 e6 11 d9 7e 0a 87 89 2c d2 ca f9 23 a2 |......~...,...#.|
| 09 ca 0b 5b 07 33 73 94 04 a8 3d ea 13 7c 99 58 |...[.3s...=..|.X|
| 35 e8 dd c4 1b 32 9f 6f 92 0a e4 18 2f 9e bc 43 |5....2.o..../..C|
| a5 66 ed 09 ce 5d 29 ff c1 70 ac 34 5f ed 84 80 |.f...])..p.4_...|
| f5 56 7c a4 97 83 f7 f5 a3 dc 09 d6 f0 89 04 69 |.V|............i|
| 9d b3 14 15 b8 a1 c4 8e 8a b0 9e db 16 38 91 d9 |.............8..|
| 62 79 84 fb 37 e4 f3 ed 8a 23 4e 9a d0 2d 62 f1 |by..7....#N..-b.|
ssl_decrypt_pre_master_secret: RSA_private_decrypt
ssl_decrypt_pre_master_secret: decryption failed: -49 (No certificate was found.)
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use TLS keylog in C:\Wireshark_Logs\SSL_KEYDUMP.log
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT (No decoder found - retransmission?)
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
available
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2