Ask Your Question

Revision history [back]

wireshark 2.4.6 cannot decode ssl application data

I added private key, and the private key works fun because it lookup the right keyID.

ssl_association_remove removing UDP 6443 - handle 0x141e987b0 KeyID[20]: | 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.| | e3 36 8d d5 |.6.. |

Calculating hash with offset 68 1181 lookup(KeyID)[20]: | 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.| | e3 36 8d d5 |.6.. |

But wireshark still cannot decode application data, here is the related debug info

dissect_ssl enter frame #587 (first time) packet_from_server: is from server - FALSE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 160 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 155, ssl state 0x00 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 151 bytes, remaining 160 Calculating hash with offset 5 155 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #589 (first time) packet_from_server: is from server - TRUE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 1669 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 58, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 58 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17 ssl_dissect_hnd_hello_ext_alpn: changing handle 0x0 to 0x141e98d30 (http2)ssl_load_keyfile dtls/ssl.keylog_file is not configured! tls13_change_key TLS version 0x303 is not 1.3 tls13_change_key TLS version 0x303 is not 1.3 record: offset = 63, reported_length_remaining = 1606 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 1181, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 68 length 1177 bytes, remaining 1249 Calculating hash with offset 68 1181 lookup(KeyID)[20]: | 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.| | e3 36 8d d5 |.6.. | ssl_find_private_key_by_pubkey: lookup result: 0x7fb883e5e000 record: offset = 1249, reported_length_remaining = 420 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 300, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 1254 length 296 bytes, remaining 1554 Calculating hash with offset 1254 300 record: offset = 1554, reported_length_remaining = 115 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 101, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 13 offset 1559 length 97 bytes, remaining 1660 Calculating hash with offset 1559 101 record: offset = 1660, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1665 length 0 bytes, remaining 1669 Calculating hash wit dissect_ssl enter frame #591 (first time) packet_from_server: is from server - FALSE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 105 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 7, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 Calculating hash with offset 5 7 record: offset = 12, reported_length_remaining = 93 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 37, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 17 length 33 bytes, remaining 54 Calculating hash with offset 17 37 ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) and cannot be decrypted using a RSA private key file. ssl_generate_pre_master_secret: can't decrypt pre-master secret ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret dissect_ssl3_handshake can't generate pre master secret record: offset = 54, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't restore master secret using an empty Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSEh offset 1665 4 Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 60, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 65 length 0 bytes, remaining 105

dissect_ssl enter frame #592 (first time) packet_from_server: is from server - TRUE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available ssl_dissect_change_cipher_spec Not using Session resumption ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't restore master secret using an empty Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51

wireshark 2.4.6 cannot decode ssl application data

I added private key, and the private key works fun because it lookup the right keyID. keyID.

ssl_association_remove removing UDP 6443 - handle 0x141e987b0
KeyID[20]:
| 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.|
| e3 36 8d d5                                     |.6..            |

|

Calculating hash with offset 68 1181 lookup(KeyID)[20]: | 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.| | e3 36 8d d5 |.6.. |

|

But wireshark still cannot decode application data, here is the related debug info

dissect_ssl enter frame #587 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x148de6370, ssl_session = 0x148de6de0
  record: offset = 0, reported_length_remaining = 160
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 155, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 151 bytes, remaining 160
Calculating hash with offset 5 155
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

0x01

dissect_ssl enter frame #589 (first time) packet_from_server: is from server - TRUE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 1669 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 58, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 58 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17 ssl_dissect_hnd_hello_ext_alpn: changing handle 0x0 to 0x141e98d30 (http2)ssl_load_keyfile dtls/ssl.keylog_file is not configured! tls13_change_key TLS version 0x303 is not 1.3 tls13_change_key TLS version 0x303 is not 1.3 record: offset = 63, reported_length_remaining = 1606 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 1181, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 68 length 1177 bytes, remaining 1249 Calculating hash with offset 68 1181 lookup(KeyID)[20]: | 2d c8 af 7b 07 5a fa b9 25 69 a6 1b 86 11 52 eb |-..{.Z..%i....R.| | e3 36 8d d5 |.6.. | ssl_find_private_key_by_pubkey: lookup result: 0x7fb883e5e000 record: offset = 1249, reported_length_remaining = 420 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 300, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 1254 length 296 bytes, remaining 1554 Calculating hash with offset 1254 300 record: offset = 1554, reported_length_remaining = 115 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 101, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 13 offset 1559 length 97 bytes, remaining 1660 Calculating hash with offset 1559 101 record: offset = 1660, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1665 length 0 bytes, remaining 1669 Calculating hash wit dissect_ssl enter frame #591 (first time) packet_from_server: is from server - FALSE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 105 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 7, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 Calculating hash with offset 5 7 record: offset = 12, reported_length_remaining = 93 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 37, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 17 length 33 bytes, remaining 54 Calculating hash with offset 17 37 ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) and cannot be decrypted using a RSA private key file. ssl_generate_pre_master_secret: can't decrypt pre-master secret ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret dissect_ssl3_handshake can't generate pre master secret record: offset = 54, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't restore master secret using an empty Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSEh offset 1665 4 Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 60, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 65 length 0 bytes, remaining 105

105

dissect_ssl enter frame #592 (first time) packet_from_server: is from server - TRUE conversation = 0x148de6370, ssl_session = 0x148de6de0 record: offset = 0, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available ssl_dissect_change_cipher_spec Not using Session resumption ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't restore master secret using an empty Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51

51