can’t get decription with pre-master secret log to work.

Question

Hi,

I've been trying to decrypt the ssl traffic on chrome using the pre-master secret log method, here is what I did:

osx, downloaded latest chrome dev version.
defined SSLKEYLOGFILE as a env variable
made sure my wireshark(1.10.7) is gnutls build, see end of message.
in wireshark, configed the ssl config to point to the exact file, also make sure the file can be read by anyone( chmod 777)
load my page and start capturing.

I can see that: 1.there is content in the keylog file, there are many roles, all like : CLIENT_RANDOM fdf7092065550a275290721dd44565cd77e................ 2. there was handshake steps at the beginning 3. there is data flow in ssl 4. tried to 'decode' the packages data as 'ssl'

however, I just can not get the traffic decoded.

what am i missing?

thanks,

Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.10.2, with Pango 1.30.1, with GLib 2.36.0, with libpcap, with libz 1.2.3, without POSIX capabilities, without libnl, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 16 2013 19:05:52), with AirPcap.

Answer 1

0

dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC02B

Your version of Wireshark does not know the cipher (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ( 0xc02b )). That cipher has been implemented in the development build. Please download the latest development build (1.11.x) and the cipher should be recognized.

Regards
Kurt

answered 19 May '14, 11:38

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

thanks, I actually tried that yesterday.

well, I now am able to see some content in the ssllog, decoded, but : 1. doesn't seems to be full, I only saw the client to server traffic get partially decoded, not server to client data.

this is just in the ssl debug log. I still don't see it in the main trace.

(19 May '14, 11:45) swang

please add comments as comments, not as answers (see the site FAQ)! Thank you.

(19 May '14, 11:47) Kurt Knochner ♦

please add more of the ssl debug file.

(19 May '14, 11:47) Kurt Knochner ♦

hmm, the debug file is pretty big, I am not sure which part you actually need. (the scenario I am investigating is for file upload, so there is a large amount of data in the ssl log.)

Like I said, i can see meaningful data in the log getting decoded, but on the wireshark trace. I still don't see decoded content. Any pointer on how to get that fixed?

(19 May '14, 11:51) swang

1

Any pointer on how to get that fixed?

hard to tell without any error message ;-)

Can you upload the debug file to google drive, dropbox, etc. and post the link here?

(19 May '14, 14:49) Kurt Knochner ♦

I am a novice to using Wireshark (and to using SO inspired sites, so please bear with me if I do something wrong), but have tried to read up on everything that I could with regards to this topic. I have the same problem. I have several production sites that are setup according to http://kenneththorman.blogspot.dk/2013/07/using-nginx-to-reverse-proxy-secure.html.

I have downloaded the latest development build (Version 1.99.0-962-g700a474 (v1.99.0-rc1-962-g700a474 from master)), and while I no longer am facing the "can't find cipher suite 0xC02B" I am still not able to decrypt the trafic.

In the SSL debug log I facing quite a lot of entries similar to

http://pastebin.com/FbSBDWtd (tried to paste here, but poor formatting made me move it to pastebin)

I did read http://wiki.wireshark.org/SSL, but was not able to pinpoint anything. I guess it might be obvious for someone in the know, but currently I am not making any headway. Thank you in advance.

(21 Jul '14, 13:16) kenneththorman

showing 5 of 6 show 1 more comments