This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

issues decrypting SSL Traffic

0

I am trying to decrypt ssl communication for troublshooting but am unable to decode the traffic.

Any help would be greatly appreciated

Following is the Debug logs:

Wireshark SSL debug log

Wireshark version: 2.0.5 (v2.0.5-0-ga3be9c6 from master-2.0) GnuTLS version: 3.2.15 Libgcrypt version: 1.6.2

ssl_association_remove removing TCP 443 - http handle 00000277EE1E2800 4013 bytes read PKCS#12 imported Bag 0/0: PKCS#8 Encrypted key KeyID[20]: | 51 f1 fe 2a f4 26 7b db bc 55 30 fb c9 34 58 d8 |Q..*.&{..U0..4X.| | 50 dd 4f 25 |P.O% | ssl_load_key: swapping p and q parameters and recomputing u ssl_init private key file C:/cert.pfx successfully loaded. ssl_init port '443' filename 'C:/cert.pfx' password(only for p12 file) 'Password' association_add TCP port 443 protocol http handle 00000277EE1E2800

dissect_ssl enter frame #4 (first time) association_find: TCP port 17008 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 80 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 75 decrypt_ssl3_record: app_data len 75, ssl state 0x00 association_find: TCP port 17008 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 71 bytes, remaining 80 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 1380 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 49 decrypt_ssl3_record: app_data len 49, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 45 bytes, remaining 54 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_dissect_hnd_srv_hello found CIPHER 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA -> state 0x17 record: offset = 54, reported_length_remaining = 1326

dissect_ssl enter frame #7 (first time) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #8 (first time) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 1190

dissect_ssl enter frame #12 (first time) packet_from_server: is from server - FALSE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 198 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 134 decrypt_ssl3_record: app_data len 134, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret dissect_ssl3_handshake can't generate pre master secret record: offset = 139, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't restore master secret using an empty Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 145, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 150 48 decrypt_ssl3_record: app_data len 48, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 186 offset 150 length 5662814 bytes, remaining 198

dissect_ssl enter frame #13 (first time) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_dissect_change_cipher_spec No Session resumption, missing packets? ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't restore master secret using an empty Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 11 48 decrypt_ssl3_record: app_data len 48, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 141 offset 11 length 9969585 bytes, remaining 59

dissect_ssl enter frame #14 (first time) packet_from_server: is from server - FALSE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 901 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 896, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 17008 found 0000000000000000 association_find: TCP port 443 found 00000277EFF042E0

dissect_ssl enter frame #15 (first time) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #16 (first time) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 00000277F0B25AD0 record: offset = 0, reported_length_remaining = 625

dissect_ssl enter frame #4 (already visited) packet_from_server: is from server - FALSE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 80 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 71 bytes, remaining 80

dissect_ssl enter frame #6 (already visited) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1380 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 45 bytes, remaining 54 record: offset = 54, reported_length_remaining = 1326

dissect_ssl enter frame #7 (already visited) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #8 (already visited) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1190

dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - FALSE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 198 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 record: offset = 139, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 145, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 186 offset 150 length 5662814 bytes, remaining 198

dissect_ssl enter frame #13 (already visited) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 6, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 141 offset 11 length 9969585 bytes, remaining 59

dissect_ssl enter frame #14 (already visited) packet_from_server: is from server - FALSE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 901 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #15 (already visited) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #16 (already visited) packet_from_server: is from server - TRUE conversation = 00000277F0B252B0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 625

asked 19 Aug ‘16, 07:22

WireSharrkUser's gravatar image

WireSharrkUser
11226
accept rate: 0%

edited 19 Aug ‘16, 08:06

grahamb's gravatar image

grahamb ♦
19.8k330206

(19 Aug ‘16, 08:11) Christian_R


One Answer:

2

Your capture is using a cipher suite using the Diffie-Hellman key exchange:

ssl_dissect_hnd_srv_hello found CIPHER 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA -> state 0x17
                                                  ^^^

This does not work with a RSA private key file. See Decrypting TLS in Wireshark when using DHE_RSA ciphersuites for an alternative.

answered 19 Aug '16, 08:09

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%