This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is decoder decrypt_ssl3_record: no decoder available

0

Hello Team, Can someone help me to understand why we can't decrypt SSL communication? This is capture on windows 2008 web server. One thing that stands out from trace are the following: no decoder available

decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

Any comment or feedback appreciated. Thank u

Wireshark SSL debug log :

Wireshark version: 2.2.5 (v2.2.5-0-g440fd4d)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2

KeyID[20]:
| 4f 53 67 9a 82 f5 a6 b7 af a1 84 b1 d7 0b b9 d8 |OSg………….|
| d5 c9 b3 9f                                     |….            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file F:/openssl/wildccf2018.ukey successfully loaded.
ssl_init port '443' filename 'F:/openssl/wildccf2018.ukey' password(only for p12 file) ''
association_add ssl.port port 443 handle 00000000047F5C60


dissect_ssl enter frame #477 (first time)
packet_from_server: is from server - FALSE
conversation = 00000000073DDB10, ssl_session = 00000000073DE080
record: offset = 0, reported_length_remaining = 741
ssl_try_set_version found version 0x0301 -> state 0x10
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 736, ssl state 0x10
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #478 (first time)
packet_from_server: is from server - FALSE
conversation = 00000000073DDB10, ssl_session = 00000000073DE080
record: offset = 0, reported_length_remaining = 101
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 96, ssl state 0x10
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #480 (first time)
packet_from_server: is from server - TRUE
conversation = 00000000073DDB10, ssl_session = 00000000073DE080
record: offset = 0, reported_length_remaining = 5269
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 5264, ssl state 0x10
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #2037 (first time)
packet_from_server: is from server - FALSE
conversation = 00000000074873F0, ssl_session = 0000000007487DC0
record: offset = 0, reported_length_remaining = 169
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 164
decrypt_ssl3_record: app_data len 164, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 160 bytes, remaining 169
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #2038 (first time)
packet_from_server: is from server - TRUE
conversation = 00000000074873F0, ssl_session = 0000000007487DC0
record: offset = 0, reported_length_remaining = 2920
need_desegmentation: offset = 0, reported_length_remaining = 2920


dissect_ssl enter frame #2040 (first time)
packet_from_server: is from server - TRUE
conversation = 00000000074873F0, ssl_session = 0000000007487DC0
record: offset = 0, reported_length_remaining = 4766
ssl_try_set_version found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 4761
decrypt_ssl3_record: app_data len 4761, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes, remaining 4766
ssl_try_set_version found version 0x0301 -> state 0x11
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_dissect_hnd_srv_hello found CIPHER 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -> state 0x17
dissect_ssl3_handshake iteration 0 type 11 offset 90 length 2552 bytes, remaining 4766
lookup(KeyID)[20]:
| 4f 53 67 9a 82 f5 a6 b7 af a1 84 b1 d7 0b b9 d8 |OSg………….|
| d5 c9 b3 9f                                     |….            |
ssl_find_private_key_by_pubkey: lookup result: 00000000056ACBA0
dissect_ssl3_handshake iteration 0 type 22 offset 2646 length 1781 bytes, remaining 4766
dissect_ssl3_handshake iteration 0 type 12 offset 4431 length 327 bytes, remaining 4766
dissect_ssl3_handshake iteration 0 type 14 offset 4762 length 0 bytes, remaining 4766


dissect_ssl enter frame #2046 (first time)
packet_from_server: is from server - FALSE
conversation = 00000000074873F0, ssl_session = 0000000007487DC0
record: offset = 0, reported_length_remaining = 134
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 70
decrypt_ssl3_record: app_data len 70, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 217
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
record: offset = 75, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x217
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 81, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 86 48
decrypt_ssl3_record: app_data len 48, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 152 offset 86 length 8466910 bytes, remaining 134


dissect_ssl enter frame #2047 (first time)
packet_from_server: is from server - TRUE
conversation = 00000000074873F0, ssl_session = 0000000007487DC0
record: offset = 0, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Not using Session resumption
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x217
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 6, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 48
decrypt_ssl3_record: app_data len 48, ssl state 0x217
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 199 offset 11 length 3439322 bytes, remaining 59


dissect_ssl enter frame #2037 (already visited)
packet_from_server: is from server - FALSE
conversation = 00000000074873F0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 169
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 160 bytes, remaining 169


dissect_ssl enter frame #2040 (already visited)
packet_from_server: is from server - TRUE
conversation = 00000000074873F0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 4766
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes, remaining 4766
dissect_ssl3_handshake iteration 0 type 11 offset 90 length 2552 bytes, remaining 4766
dissect_ssl3_handshake iteration 0 type 22 offset 2646 length 1781 bytes, remaining 4766
dissect_ssl3_handshake iteration 0 type 12 offset 4431 length 327 bytes, remaining 4766
dissect_ssl3_handshake iteration 0 type 14 offset 4762 length 0 bytes, remaining 4766


dissect_ssl enter frame #2046 (already visited)
packet_from_server: is from server - FALSE
conversation = 00000000074873F0, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 134
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75
record: offset = 75, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 81, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 152 offset 86 length 8466910 bytes, remaining 134

asked 16 Mar ‘17, 08:05

pozzccf's gravatar image

pozzccf
6112
accept rate: 0%

edited 16 Mar ‘17, 08:28

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

From your SSL debug log:

ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) and cannot be decrypted using a RSA private key file.

As per the SSL Wiki page, an SSL session that uses a DH key exchange can't be decrypted using the RSA private key file. Instead you have to persuade the client to give up the pre-master secret and then configure Wireshark to use that (SSL preferences, (Pre)-Master-Secret log filename).

answered 16 Mar '17, 08:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 16 Mar '17, 08:39