Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-02-01 17:44:36 +0000

PCrossley gravatar image

cant decrypt TLSv1.3

I followed the instructions in https://wiki.wireshark.org/TLS Unfortunately my session does not decode. I am using Wireshark 3.6.1 on Windows 10 I've tried using: Chrome Version 97.0.4692.99 (Official Build) (64-bit) Firefox 96.0.3 (64-bit)

I am setting the environment variable from a script as suggested I can see that the file is created when the browser start script is run.

Here is the excerpt from the logfile that seems to be relevant

2027 is the client hello immediately after the TCP handshake completes.

2030 is the server hello

2034 shows application data.

Any suggestions would be gratefully Received.

dissect_ssl enter frame #2027 (first time) packet_from_server: is from server - FALSE conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 512, ssl state 0x00 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes Calculating hash with offset 5 512 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #2030 (first time) packet_from_server: is from server - TRUE conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0 record: offset = 0, reported_length_remaining = 1414 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 122, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 118 bytes ssl_try_set_version found version 0x0304 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher found CIPHER 0x1301 TLS_AES_128_GCM_SHA256 -> state 0x97 trying to use TLS keylog in C:\Users\ptcro\Documents\Wireshark\keylogfile.txt checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 280a7cba7701a3ec4c9dcee63c1ac612e25db29bc76aa8cd8dc9f053e62800b5 matched client_handshake checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 2c5fe95616deb0200d8e156d54e392b0233debfea38e1099782acca007ebc71e matched server_handshake checking keylog line: CLIENT_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 1323e0b35ada89c6b4757f0e8cc20a770b4cc8b1e2563d7ea11736c269399621 matched client_appdata checking keylog line: SERVER_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 e428d0f2c506211e48f088d7ad87f583dd4e44a6f3a7f044050ee29cb109e88e matched server_appdata checking keylog line: EXPORTER_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 328f323ad2033fd0ffd85e68d10d366d60ec7cee2dd7b248af48ad01d7b9d27e matched exporter tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible record: offset = 127, reported_length_remaining = 1287 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 133, reported_length_remaining = 1281 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 36, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 174, reported_length_remaining = 1240 need_desegmentation: offset = 174, reported_length_remaining = 1240

dissect_ssl enter frame #2034 (first time) packet_from_server: is from server - TRUE conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0 record: offset = 0, reported_length_remaining = 5001 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 4996, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

click to hide/show revision 2
None

updated 2022-02-01 17:58:38 +0000

grahamb gravatar image

cant decrypt TLSv1.3

I followed the instructions in https://wiki.wireshark.org/TLS Unfortunately https://wiki.wireshark.org/TLS, unfortunately my session does not decode. decode.

I am using Wireshark 3.6.1 on Windows 10 10

I've tried using: Chrome Version 97.0.4692.99 (Official Build) (64-bit) Firefox 96.0.3 (64-bit)

I am setting the environment variable from a script as suggested suggested, I can see that the file is created when the browser start script is run.

Here is the excerpt from the logfile that seems to be relevant

2027 
#2027 is the client hello immediately after the TCP handshake completes.

2030 is the server hello

2034 completes. #2030 is the server hello #2034 shows application data.

data.

Any suggestions would be gratefully Received.

dissect_ssl enter frame #2027 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01
 
0x01

dissect_ssl enter frame #2030 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 1414
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 122, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 118 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1301 TLS_AES_128_GCM_SHA256 -> state 0x97
trying to use TLS keylog in C:\Users\ptcro\Documents\Wireshark\keylogfile.txt
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 280a7cba7701a3ec4c9dcee63c1ac612e25db29bc76aa8cd8dc9f053e62800b5
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 2c5fe95616deb0200d8e156d54e392b0233debfea38e1099782acca007ebc71e
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 1323e0b35ada89c6b4757f0e8cc20a770b4cc8b1e2563d7ea11736c269399621
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 e428d0f2c506211e48f088d7ad87f583dd4e44a6f3a7f044050ee29cb109e88e
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 328f323ad2033fd0ffd85e68d10d366d60ec7cee2dd7b248af48ad01d7b9d27e
    matched exporter
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 127, reported_length_remaining = 1287
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 133, reported_length_remaining = 1281
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 36, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 174, reported_length_remaining = 1240
  need_desegmentation: offset = 174, reported_length_remaining = 1240
 
1240

dissect_ssl enter frame #2034 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 5001
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 4996, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
available

cant decrypt TLSv1.3

I followed the instructions in https://wiki.wireshark.org/TLS, unfortunately my session does not decode.

I am using Wireshark 3.6.1 on Windows 10

I've tried using: Chrome Version 97.0.4692.99 (Official Build) (64-bit) Firefox 96.0.3 (64-bit)

I am setting the environment variable from a script as suggested, I can see that the file is created when the browser start script is run.

Here is the excerpt from the logfile that seems to be relevant

#2027 is the client hello immediately after the TCP handshake completes.
#2030 is the server hello
#2034 shows application data.

Any suggestions would be gratefully Received.

dissect_ssl enter frame #2027 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #2030 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 1414
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 122, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 118 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1301 TLS_AES_128_GCM_SHA256 -> state 0x97
trying to use TLS keylog in C:\Users\ptcro\Documents\Wireshark\keylogfile.txt
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 280a7cba7701a3ec4c9dcee63c1ac612e25db29bc76aa8cd8dc9f053e62800b5
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 2c5fe95616deb0200d8e156d54e392b0233debfea38e1099782acca007ebc71e
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 1323e0b35ada89c6b4757f0e8cc20a770b4cc8b1e2563d7ea11736c269399621
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 e428d0f2c506211e48f088d7ad87f583dd4e44a6f3a7f044050ee29cb109e88e
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 328f323ad2033fd0ffd85e68d10d366d60ec7cee2dd7b248af48ad01d7b9d27e
    matched exporter
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 127, reported_length_remaining = 1287
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 133, reported_length_remaining = 1281
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 36, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 174, reported_length_remaining = 1240
  need_desegmentation: offset = 174, reported_length_remaining = 1240

dissect_ssl enter frame #2034 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 5001
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 4996, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

cant decrypt TLSv1.3

I followed the instructions in https://wiki.wireshark.org/TLS, unfortunately my session does not decode.

I am using Wireshark 3.6.1 on Windows 10

I've tried using: Chrome Version 97.0.4692.99 (Official Build) (64-bit) Firefox 96.0.3 (64-bit)

I am setting the environment variable from a script as suggested, I can see that the file is created when the browser start script is run.

Here is the excerpt from the logfile that seems to be relevant

#2027 is the client hello immediately after the TCP handshake completes.
#2030 is the server hello
#2034 shows application data.

Any suggestions would be gratefully Received.

dissect_ssl enter frame #2027 (first time)
packet_from_server: is from server - FALSE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #2030 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 1414
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 122, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 118 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1301 TLS_AES_128_GCM_SHA256 -> state 0x97
trying to use TLS keylog in C:\Users\ptcro\Documents\Wireshark\keylogfile.txt
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 280a7cba7701a3ec4c9dcee63c1ac612e25db29bc76aa8cd8dc9f053e62800b5
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 2c5fe95616deb0200d8e156d54e392b0233debfea38e1099782acca007ebc71e
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 1323e0b35ada89c6b4757f0e8cc20a770b4cc8b1e2563d7ea11736c269399621
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 e428d0f2c506211e48f088d7ad87f583dd4e44a6f3a7f044050ee29cb109e88e
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 66b6f23776dc56679574d74c9fbcff5937db50859e66494269c7328e64627a98 328f323ad2033fd0ffd85e68d10d366d60ec7cee2dd7b248af48ad01d7b9d27e
    matched exporter
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 127, reported_length_remaining = 1287
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 133, reported_length_remaining = 1281
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 36, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 174, reported_length_remaining = 1240
  need_desegmentation: offset = 174, reported_length_remaining = 1240

dissect_ssl enter frame #2034 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000236BB6CF320, ssl_session = 00000236BB6D07C0
  record: offset = 0, reported_length_remaining = 5001
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 4996, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2