Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

TLSv1.2 traffic not getting decrypted

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a Netscaler load balancer. I have keys for the RSA netscaler/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http netscaler-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The supported Ciphers on the URL are -

ssl2: EXP-RC2-CBC-MD5 ssl2: RC4-MD5 ssl2: EXP-RC4-MD5 ssl2: DES-CBC3-MD5 ssl2: DES-CBC-MD5 ssl2: EXP-RC2-CBC-MD5 ssl2: RC2-CBC-MD5 ssl2: EXP-RC4-MD5 ssl2: RC4-MD5 ssl3: ADH-SEED-SHA ssl3: DHE-RSA-SEED-SHA ssl3: DHE-DSS-SEED-SHA ssl3: SEED-SHA ssl3: ADH-AES256-SHA ssl3: DHE-RSA-AES256-SHA ssl3: DHE-DSS-AES256-SHA ssl3: AES256-SHA ssl3: ADH-AES128-SHA ssl3: DHE-RSA-AES128-SHA ssl3: DHE-DSS-AES128-SHA ssl3: AES128-SHA ssl3: ADH-DES-CBC3-SHA ssl3: ADH-DES-CBC-SHA ssl3: EXP-ADH-DES-CBC-SHA ssl3: ADH-RC4-MD5 ssl3: EXP-ADH-RC4-MD5 ssl3: EDH-RSA-DES-CBC3-SHA ssl3: EDH-RSA-DES-CBC-SHA ssl3: EXP-EDH-RSA-DES-CBC-SHA ssl3: EDH-DSS-DES-CBC3-SHA ssl3: EDH-DSS-DES-CBC-SHA ssl3: EXP-EDH-DSS-DES-CBC-SHA ssl3: DES-CBC3-SHA ssl3: DES-CBC-SHA ssl3: EXP-DES-CBC-SHA ssl3: EXP-RC2-CBC-MD5 ssl3: RC4-SHA ssl3: RC4-MD5 ssl3: EXP-RC4-MD5 ssl3: EXP-RC2-CBC-MD5 ssl3: EXP-RC4-MD5 ssl3: RC4-MD5 ssl3: NULL-SHA ssl3: NULL-MD5 tls1: ADH-SEED-SHA tls1: DHE-RSA-SEED-SHA tls1: DHE-DSS-SEED-SHA tls1: SEED-SHA tls1: ADH-AES256-SHA tls1: DHE-RSA-AES256-SHA tls1: DHE-DSS-AES256-SHA tls1: AES256-SHA tls1: ADH-AES128-SHA tls1: DHE-RSA-AES128-SHA tls1: DHE-DSS-AES128-SHA tls1: AES128-SHA tls1: ADH-DES-CBC3-SHA tls1: ADH-DES-CBC-SHA tls1: EXP-ADH-DES-CBC-SHA tls1: ADH-RC4-MD5 tls1: EXP-ADH-RC4-MD5 tls1: EDH-RSA-DES-CBC3-SHA tls1: EDH-RSA-DES-CBC-SHA tls1: EXP-EDH-RSA-DES-CBC-SHA tls1: EDH-DSS-DES-CBC3-SHA tls1: EDH-DSS-DES-CBC-SHA tls1: EXP-EDH-DSS-DES-CBC-SHA tls1: DES-CBC3-SHA tls1: DES-CBC-SHA tls1: EXP-DES-CBC-SHA tls1: EXP-RC2-CBC-MD5 tls1: RC4-SHA tls1: RC4-MD5 tls1: EXP-RC4-MD5 tls1: EXP-RC2-CBC-MD5 tls1: EXP-RC4-MD5 tls1: RC4-MD5 tls1: NULL-SHA tls1: NULL-MD5

TLSv1.2 traffic not getting decrypted

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a Netscaler load balancer. I have keys for the RSA netscaler/linux load balancer/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http netscaler-rsa-decrypted-key-fileloadbalancer-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The supported Ciphers on the URL are -

ssl2: EXP-RC2-CBC-MD5 ssl2: RC4-MD5 ssl2: EXP-RC4-MD5 ssl2: DES-CBC3-MD5 ssl2: DES-CBC-MD5 ssl2: EXP-RC2-CBC-MD5 ssl2: RC2-CBC-MD5 ssl2: EXP-RC4-MD5 ssl2: RC4-MD5 ssl3: ADH-SEED-SHA ssl3: DHE-RSA-SEED-SHA ssl3: DHE-DSS-SEED-SHA ssl3: SEED-SHA ssl3: ADH-AES256-SHA ssl3: DHE-RSA-AES256-SHA ssl3: DHE-DSS-AES256-SHA ssl3: AES256-SHA ssl3: ADH-AES128-SHA ssl3: DHE-RSA-AES128-SHA ssl3: DHE-DSS-AES128-SHA ssl3: AES128-SHA ssl3: ADH-DES-CBC3-SHA ssl3: ADH-DES-CBC-SHA ssl3: EXP-ADH-DES-CBC-SHA ssl3: ADH-RC4-MD5 ssl3: EXP-ADH-RC4-MD5 ssl3: EDH-RSA-DES-CBC3-SHA ssl3: EDH-RSA-DES-CBC-SHA ssl3: EXP-EDH-RSA-DES-CBC-SHA ssl3: EDH-DSS-DES-CBC3-SHA ssl3: EDH-DSS-DES-CBC-SHA ssl3: EXP-EDH-DSS-DES-CBC-SHA ssl3: DES-CBC3-SHA ssl3: DES-CBC-SHA ssl3: EXP-DES-CBC-SHA ssl3: EXP-RC2-CBC-MD5 ssl3: RC4-SHA ssl3: RC4-MD5 ssl3: EXP-RC4-MD5 ssl3: EXP-RC2-CBC-MD5 ssl3: EXP-RC4-MD5 ssl3: RC4-MD5 ssl3: NULL-SHA ssl3: NULL-MD5 tls1: ADH-SEED-SHA tls1: DHE-RSA-SEED-SHA tls1: DHE-DSS-SEED-SHA tls1: SEED-SHA tls1: ADH-AES256-SHA tls1: DHE-RSA-AES256-SHA tls1: DHE-DSS-AES256-SHA tls1: AES256-SHA tls1: ADH-AES128-SHA tls1: DHE-RSA-AES128-SHA tls1: DHE-DSS-AES128-SHA tls1: AES128-SHA tls1: ADH-DES-CBC3-SHA tls1: ADH-DES-CBC-SHA tls1: EXP-ADH-DES-CBC-SHA tls1: ADH-RC4-MD5 tls1: EXP-ADH-RC4-MD5 tls1: EDH-RSA-DES-CBC3-SHA tls1: EDH-RSA-DES-CBC-SHA tls1: EXP-EDH-RSA-DES-CBC-SHA tls1: EDH-DSS-DES-CBC3-SHA tls1: EDH-DSS-DES-CBC-SHA tls1: EXP-EDH-DSS-DES-CBC-SHA tls1: DES-CBC3-SHA tls1: DES-CBC-SHA tls1: EXP-DES-CBC-SHA tls1: EXP-RC2-CBC-MD5 tls1: RC4-SHA tls1: RC4-MD5 tls1: EXP-RC4-MD5 tls1: EXP-RC2-CBC-MD5 tls1: EXP-RC4-MD5 tls1: RC4-MD5 tls1: NULL-SHA tls1: NULL-MD5 NULL-MD5

TLSv1.2 traffic not getting decrypted

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a load balancer. I have keys for the RSA load balancer/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http loadbalancer-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The supported Ciphers on the URL are -

ssl2:   EXP-RC2-CBC-MD5
ssl2:   RC4-MD5
ssl2:   EXP-RC4-MD5
ssl2:   DES-CBC3-MD5
ssl2:   DES-CBC-MD5
ssl2:   EXP-RC2-CBC-MD5
ssl2:   RC2-CBC-MD5
ssl2:   EXP-RC4-MD5
ssl2:   RC4-MD5
ssl3:   ADH-SEED-SHA
ssl3:   DHE-RSA-SEED-SHA
ssl3:   DHE-DSS-SEED-SHA
ssl3:   SEED-SHA
ssl3:   ADH-AES256-SHA
ssl3:   DHE-RSA-AES256-SHA
ssl3:   DHE-DSS-AES256-SHA
ssl3:   AES256-SHA
ssl3:   ADH-AES128-SHA
ssl3:   DHE-RSA-AES128-SHA
ssl3:   DHE-DSS-AES128-SHA
ssl3:   AES128-SHA
ssl3:   ADH-DES-CBC3-SHA
ssl3:   ADH-DES-CBC-SHA
ssl3:   EXP-ADH-DES-CBC-SHA
ssl3:   ADH-RC4-MD5
ssl3:   EXP-ADH-RC4-MD5
ssl3:   EDH-RSA-DES-CBC3-SHA
ssl3:   EDH-RSA-DES-CBC-SHA
ssl3:   EXP-EDH-RSA-DES-CBC-SHA
ssl3:   EDH-DSS-DES-CBC3-SHA
ssl3:   EDH-DSS-DES-CBC-SHA
ssl3:   EXP-EDH-DSS-DES-CBC-SHA
ssl3:   DES-CBC3-SHA
ssl3:   DES-CBC-SHA
ssl3:   EXP-DES-CBC-SHA
ssl3:   EXP-RC2-CBC-MD5
ssl3:   RC4-SHA
ssl3:   RC4-MD5
ssl3:   EXP-RC4-MD5
ssl3:   EXP-RC2-CBC-MD5
ssl3:   EXP-RC4-MD5
ssl3:   RC4-MD5
ssl3:   NULL-SHA
ssl3:   NULL-MD5
tls1:   ADH-SEED-SHA
tls1:   DHE-RSA-SEED-SHA
tls1:   DHE-DSS-SEED-SHA
tls1:   SEED-SHA
tls1:   ADH-AES256-SHA
tls1:   DHE-RSA-AES256-SHA
tls1:   DHE-DSS-AES256-SHA
tls1:   AES256-SHA
tls1:   ADH-AES128-SHA
tls1:   DHE-RSA-AES128-SHA
tls1:   DHE-DSS-AES128-SHA
tls1:   AES128-SHA
tls1:   ADH-DES-CBC3-SHA
tls1:   ADH-DES-CBC-SHA
tls1:   EXP-ADH-DES-CBC-SHA
tls1:   ADH-RC4-MD5
tls1:   EXP-ADH-RC4-MD5
tls1:   EDH-RSA-DES-CBC3-SHA
tls1:   EDH-RSA-DES-CBC-SHA
tls1:   EXP-EDH-RSA-DES-CBC-SHA
tls1:   EDH-DSS-DES-CBC3-SHA
tls1:   EDH-DSS-DES-CBC-SHA
tls1:   EXP-EDH-DSS-DES-CBC-SHA
tls1:   DES-CBC3-SHA
tls1:   DES-CBC-SHA
tls1:   EXP-DES-CBC-SHA
tls1:   EXP-RC2-CBC-MD5
tls1:   RC4-SHA
tls1:   RC4-MD5
tls1:   EXP-RC4-MD5
tls1:   EXP-RC2-CBC-MD5
tls1:   EXP-RC4-MD5
tls1:   RC4-MD5
tls1:   NULL-SHA
tls1:   NULL-MD5

NULL-MD5

TLSv1.2 traffic not getting decrypted

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a load balancer. I have keys for the RSA load balancer/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http loadbalancer-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The supported Ciphers on cipher chosen by the URL are server is - Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

ssl2:   EXP-RC2-CBC-MD5
ssl2:   RC4-MD5
ssl2:   EXP-RC4-MD5
ssl2:   DES-CBC3-MD5
ssl2:   DES-CBC-MD5
ssl2:   EXP-RC2-CBC-MD5
ssl2:   RC2-CBC-MD5
ssl2:   EXP-RC4-MD5
ssl2:   RC4-MD5
ssl3:   ADH-SEED-SHA
ssl3:   DHE-RSA-SEED-SHA
ssl3:   DHE-DSS-SEED-SHA
ssl3:   SEED-SHA
ssl3:   ADH-AES256-SHA
ssl3:   DHE-RSA-AES256-SHA
ssl3:   DHE-DSS-AES256-SHA
ssl3:   AES256-SHA
ssl3:   ADH-AES128-SHA
ssl3:   DHE-RSA-AES128-SHA
ssl3:   DHE-DSS-AES128-SHA
ssl3:   AES128-SHA
ssl3:   ADH-DES-CBC3-SHA
ssl3:   ADH-DES-CBC-SHA
ssl3:   EXP-ADH-DES-CBC-SHA
ssl3:   ADH-RC4-MD5
ssl3:   EXP-ADH-RC4-MD5
ssl3:   EDH-RSA-DES-CBC3-SHA
ssl3:   EDH-RSA-DES-CBC-SHA
ssl3:   EXP-EDH-RSA-DES-CBC-SHA
ssl3:   EDH-DSS-DES-CBC3-SHA
ssl3:   EDH-DSS-DES-CBC-SHA
ssl3:   EXP-EDH-DSS-DES-CBC-SHA
ssl3:   DES-CBC3-SHA
ssl3:   DES-CBC-SHA
ssl3:   EXP-DES-CBC-SHA
ssl3:   EXP-RC2-CBC-MD5
ssl3:   RC4-SHA
ssl3:   RC4-MD5
ssl3:   EXP-RC4-MD5
ssl3:   EXP-RC2-CBC-MD5
ssl3:   EXP-RC4-MD5
ssl3:   RC4-MD5
ssl3:   NULL-SHA
ssl3:   NULL-MD5
tls1:   ADH-SEED-SHA
tls1:   DHE-RSA-SEED-SHA
tls1:   DHE-DSS-SEED-SHA
tls1:   SEED-SHA
tls1:   ADH-AES256-SHA
tls1:   DHE-RSA-AES256-SHA
tls1:   DHE-DSS-AES256-SHA
tls1:   AES256-SHA
tls1:   ADH-AES128-SHA
tls1:   DHE-RSA-AES128-SHA
tls1:   DHE-DSS-AES128-SHA
tls1:   AES128-SHA
tls1:   ADH-DES-CBC3-SHA
tls1:   ADH-DES-CBC-SHA
tls1:   EXP-ADH-DES-CBC-SHA
tls1:   ADH-RC4-MD5
tls1:   EXP-ADH-RC4-MD5
tls1:   EDH-RSA-DES-CBC3-SHA
tls1:   EDH-RSA-DES-CBC-SHA
tls1:   EXP-EDH-RSA-DES-CBC-SHA
tls1:   EDH-DSS-DES-CBC3-SHA
tls1:   EDH-DSS-DES-CBC-SHA
tls1:   EXP-EDH-DSS-DES-CBC-SHA
tls1:   DES-CBC3-SHA
tls1:   DES-CBC-SHA
tls1:   EXP-DES-CBC-SHA
tls1:   EXP-RC2-CBC-MD5
tls1:   RC4-SHA
tls1:   RC4-MD5
tls1:   EXP-RC4-MD5
tls1:   EXP-RC2-CBC-MD5
tls1:   EXP-RC4-MD5
tls1:   RC4-MD5
tls1:   NULL-SHA
tls1:   NULL-MD5

TLSv1.2 traffic not getting decrypted

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a load balancer. I have keys for the RSA load balancer/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http loadbalancer-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The cipher chosen by the server is - Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

ssl debug log

Is it becoz of TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384?


dissect_ssl enter frame #2439 (first time) packet_from_server: is from server - TRUE conversation = 0x11b094450, ssl_session = 0x11b094e80 record: offset = 0, reported_length_remaining = 79 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 74, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 74 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0x0035 TLS_RSA_WITH_AES_256_CBC_SHA -> state 0x17 ssl_load_keyfile dtls/ssl.keylog_file is not configured! tls13_load_secret TLS version 0x303 is not 1.3 tls13_load_secret TLS version 0x303 is not 1.3

dissect_ssl enter frame #2491 (first time) packet_from_server: is from server - TRUE conversation = 0x11b09dae0, ssl_session = 0x11b09e760 record: offset = 0, reported_length_remaining = 86 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 81, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 81 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0xC028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 -> state 0x17 ssl_load_keyfile dtls/ssl.keylog_file is not configured! tls13_load_secret TLS version 0x303 is not 1.3 tls13_load_secret TLS version 0x303 is not 1.3

TLSv1.2 traffic not getting decrypted

I have tcpdump (pcap file) from a linux server which is listening to requests on a port from a load balancer. I have keys for the RSA load balancer/linux keys. I configured to use wireshark to decrypt SSL traffic -

0.0.0.0 <port number=""> http loadbalancer-rsa-decrypted-key-file

BUT it doesnt decrypt the traffic for me to analyze.

The cipher chosen by the server is - Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

ssl debug log

Is it becoz because of TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384?


dissect_ssl enter frame #2439 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x11b094450, ssl_session = 0x11b094e80
  record: offset = 0, reported_length_remaining = 79
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 74
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0x0035 TLS_RSA_WITH_AES_256_CBC_SHA -> state 0x17
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3

1.3 dissect_ssl enter frame #2491 (first time) packet_from_server: is from server - TRUE conversation = 0x11b09dae0, ssl_session = 0x11b09e760 record: offset = 0, reported_length_remaining = 86 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 81, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 81 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0xC028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 -> state 0x17 ssl_load_keyfile dtls/ssl.keylog_file is not configured! tls13_load_secret TLS version 0x303 is not 1.3 tls13_load_secret TLS version 0x303 is not 1.3

1.3