This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decode TLS Traffic

0

Trying to decode a TLS packet capture and it isn't working. Can someone point me to what is going wrong. First part of ssl debug file is below.

Wireshark SSL debug log

ssl_association_remove removing TCP 443 - http handle 0000000004650E80
Private key imported: KeyID 9e:a7:11:d1:92:19:ab:42:ba:4b:e0:44:aa:a2:f3:5c:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '10.1.16.129' (10.1.16.129) port '443' filename 'C:\SoftwareLib\Putty\serverprivkey.pem' password(only for p12 file) ''
ssl_init private key file C:\SoftwareLib\Putty\serverprivkey.pem successfully loaded.
association_add TCP port 443 protocol http handle 0000000004650E80

dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 00000000081C0720 size 712 association_find: TCP port 38423 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 216 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 211, ssl state 0x00 association_find: TCP port 38423 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 207 bytes, remaining 216 packet_from_server: is from server - FALSE ssl_find_private_key server 10.1.16.129:443 ssl_find_private_key: testing 1 keys dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 86 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 81, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session trying to use SSL keylog in failed to open SSL keylog cannot find master secret in keylog file either dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material

dissect_ssl enter frame #7 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER

dissect_ssl enter frame #8 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 203 offset 5 length 8445086 bytes, remaining 37

dissect_ssl enter frame #12 (first time) packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 76 offset 11 length 4320174 bytes, remaining 43

dissect_ssl enter frame #13 (first time) packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 255 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 250, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 38423 found 0000000000000000 association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #14 (first time) packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 648 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 643, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 38423 found 0000000000000000 association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #16 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1263 need_desegmentation: offset = 0, reported_length_remaining = 1263

dissect_ssl enter frame #25 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #25 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1083 need_desegmentation: offset = 0, reported_length_remaining = 1083

dissect_ssl enter frame #37 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #38 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1263 need_desegmentation: offset = 0, reported_length_remaining = 1263

dissect_ssl enter frame #49 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #49 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1083 need_desegmentation: offset = 0, reported_length_remaining = 1083

dissect_ssl enter frame #61 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #61 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 903 need_desegmentation: offset = 0, reported_length_remaining = 903

dissect_ssl enter frame #73 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #73 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 723 need_desegmentation: offset = 0, reported_length_remaining = 723

dissect_ssl enter frame #80 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #85 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1263 need_desegmentation: offset = 0, reported_length_remaining = 1263

dissect_ssl enter frame #92 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #92 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1083 need_desegmentation: offset = 0, reported_length_remaining = 1083

dissect_ssl enter frame #107 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #107 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 903 need_desegmentation: offset = 0, reported_length_remaining = 903

asked 30 May ‘15, 15:13

EASGCS's gravatar image

EASGCS
6112
accept rate: 0%

edited 31 May ‘15, 01:53

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)

That line is an indicator that you have loaded the wrong private key for the TLS session. Please double check that.

Regards
Kurt

answered 01 Jun '15, 03:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%