This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t decrypt SSL traffic

0

I'm trying to decode SSL traffic but I'm failing so far. I seem to have the correct private key but I can't make sense of the log file. At first I was using ECDHE and modified my application to dump the pre master secret but that failed in a very similar way.

The capture file and private key can be found here: https://www.dropbox.com/sh/4o0qr7hwfoobyrz/AACzzEk9VlrL6XpVQfztIsfma

This is not https traffic but a custom protocol that sits on top of SSL.

Any pointers would be greatly appreciated!

Log follows

Wireshark SSL debug log

Wireshark version: 2.0.3 (v2.0.3-0-geed34f0 from master-2.0)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2


ssl_association_remove removing TCP 1677 - data handle 0000025D1D90EFB0
KeyID[20]:
| e9 c1 00 8a f9 61 66 ac b3 1b 37 80 3b df 59 93 |…..af…7.;.Y.|
| ec b7 5c c4                                     |...            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file C:/Users/jpmendoza/Desktop/poa-new.key successfully loaded.
ssl_init port '1677' filename 'C:/Users/jpmendoza/Desktop/poa-new.key' password(only for p12 file) ''
association_add TCP port 1677 protocol data handle 0000025D1D90EFB0


dissect_ssl enter frame #3 (first time)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000025D1FD1D810
record: offset = 0, reported_length_remaining = 550


dissect_ssl enter frame #4 (first time)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000025D1FD1D810
record: offset = 0, reported_length_remaining = 1007
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 58
decrypt_ssl3_record: app_data len 58, ssl state 0x10
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x12
ssl_dissect_hnd_srv_hello found CIPHER 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384 -> state 0x16
record: offset = 63, reported_length_remaining = 944
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 68 930
decrypt_ssl3_record: app_data len 930, ssl state 0x16
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 926 bytes, remaining 998
lookup(KeyID)[20]:
| e9 c1 00 8a f9 61 66 ac b3 1b 37 80 3b df 59 93 |…..af…7.;.Y.|
| ec b7 5c c4                                     |...            |
ssl_find_private_key_by_pubkey: lookup result: 0000025D1E4BDBF0
record: offset = 998, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 1003 4
decrypt_ssl3_record: app_data len 4, ssl state 0x16
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 1003 length 0 bytes, remaining 1007


dissect_ssl enter frame #5 (first time)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000025D1FD1D810
record: offset = 0, reported_length_remaining = 226
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 170
decrypt_ssl3_record: app_data len 170, ssl state 0x216
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
record: offset = 175, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Not using Session resumption
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x616
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't restore master secret using an empty Client Random
Cannot find master secret
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 181, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 186 40
decrypt_ssl3_record: app_data len 40, ssl state 0x616
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 156 offset 186 length 7346719 bytes, remaining 226


dissect_ssl enter frame #3 (already visited)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 550


dissect_ssl enter frame #4 (already visited)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1007
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
record: offset = 63, reported_length_remaining = 944
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 926 bytes, remaining 998
record: offset = 998, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 1003 length 0 bytes, remaining 1007


dissect_ssl enter frame #5 (already visited)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 226
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
record: offset = 175, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 181, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 156 offset 186 length 7346719 bytes, remaining 226


dissect_ssl enter frame #6 (first time)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000025D1FD1D810
record: offset = 0, reported_length_remaining = 1460
need_desegmentation: offset = 0, reported_length_remaining = 1460


dissect_ssl enter frame #8 (first time)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000025D1FD1D810
record: offset = 0, reported_length_remaining = 3595
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 3590, ssl state 0x616
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 1677 found 0000025D1F07A2E0


dissect_ssl enter frame #8 (already visited)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 3595
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #11 (first time)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000025D1FD1D810
record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 46, ssl state 0x616
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #11 (already visited)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #8 (already visited)
association_find: TCP port 1677 found 0000025D1F07A2E0
packet_from_server: is from server - TRUE
conversation = 0000025D1FD1D300, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 3595
dissect_ssl3_record: content_type 23 Application Data

asked 17 May ‘16, 15:55

superdude's gravatar image

superdude
6112
accept rate: 0%

One Answer:

0

After spending hours with this issue I saw my blindness: I'm capturing incoming traffic, not outgoing. I have the same problem as https://ask.wireshark.org/questions/27296/wireshark-only-capturing-incoming-packets

answered 18 May '16, 07:47

superdude's gravatar image

superdude
6112
accept rate: 0%