Ask Your Question

Revision history [back]

Help decrypting TLS between socket client and server

I built a socket server and socket client whose sole purpose is to communicate back and forth using TLS so I can learn how to decrypt the communication using Wireshark. While both are on the same Linux box, I will later use different machines, and they will pass back and form JSON. I've been really struggling on this and would very much appreciate some help. I've included everything I could think of but if I am missing something, please let me know. Thank you, thank you, thank you in advance.

The client has the server's certificate and the server has both the certificate and private key, and a passphrase is not being used, and I have included how I created the keys as well as the actual keys at the end of this post.

The following communication successfully occurs between the server and client.

Client connects to Server.
Server sends message to Client:
    Hello tls://127.0.0.1:38280!
    Welcome to this amazing server!
    Here's a tip: don't say anything.
Client sends message to Server:
    Hello server, how are you?
Server disconnects client.

I captured it using tshark on the remote Linux box using the following command and moved the pcap file to my Windows PC as well as a copy of the private key.

tshark -w /var/www/testing/public/test/filename.pcap -P -f "port 8080" -i lo

My wireshark version is Version 3.0.1 with details shown at the end of this post. I went to Edit/Preferences/Protocols/TLS, clicked Edit near RSA Keys List, and added the private key (I also added IP 127.0.0.1, port 8080, and protocol data even though it is my understanding that Wireshark ignores it). I also added a path for a TLS debug file as well as entered a filename of sslkeylog.log for the (Pre)-Master-Secrete log filename as described by https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/.

The output is below. As far as I can tell, nothing has been decrypted and I cannot find any text other than regarding the rsa key.

image description

The debug log is listed below (however, I removed some of the repeated checking as it was originally 394kb).

What am I doing wrong? Thank you!

Wireshark SSL debug log 

Wireshark version: 3.0.1 (v3.0.1-0-gea351cd8)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3

ssl_association_remove removing UDP 8080 - handle 0000017F3169EDB0
KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
ssl_init private key file C:/Users/Michael/Documents/wireshark/test_ss_key.pem successfully loaded.
ssl_init port '8080' filename 'C:/Users/Michael/Documents/wireshark/test_ss_key.pem' password(only for p12 file) ''
association_add tls.port port 8080 handle 0000017F3169EDB0

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 1687
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 66, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 66
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x17
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1094, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
Calculating hash with offset 76 1094
Certificate.KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 461, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
Calculating hash with offset 1175 461
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 46, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
Calculating hash with offset 1641 42
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 
Calculating hash with offset 1683 4

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 7, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
Calculating hash with offset 5 7
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 70, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
Calculating hash with offset 17 70
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 66d5e42f483160b31585f9b0dcf89c1c5440997f9aea04a67c265d3a222ba1a4
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 1fbf9e8aa88e24d2d6e4c12c7385d4ca336e01649f640b66828b5c208bce3cd8
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 186, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
Calculating hash with offset 5 186
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_finalize_decryption state = 0x417
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 51, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

My wireshark version is as follows:

Version 3.0.1 (v3.0.1-0-gea351cd8) 
Copyright 1998-2019 Gerald Combs <[email protected] contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlThis is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, with 8191 MB of physical memory, with locale English_United States.1252, with libpcap version 1.9.0 (packet.dll version 0.992), with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835). 
Wireshark is Open Source Software released under the GNU General Public License. 
Check the man page and http://www.wireshark.org for more information.

The client has the server's certificate and the server has both the certificate and private key, and a passphrase is not being used. I created the keys as follows which are also shown below:

openssl genpkey -algorithm RSA
-pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out test_ss_key.pem openssl req -new -key test_ss_key.pem
-sha256 -days 365 -out test_ss_csr.pem openssl rsa -in test_ss_key.pem -out
test_ss_key.pem openssl x509 -req -in
test_ss_csr.pem -signkey
test_ss_key.pem -sha256 -days 365 -out
test_ss_crt.pem

[[email protected] testing]$ cat
/etc/pki/tls/private/test_ss_key.pem
-----BEGIN RSA PRIVATE KEY----- MIIG4gIBAAKCAYEAxGarBrx3JhDiEq5VVwbEFTY/GHLRnqD9X1Cti8l4s+dbdqHb
r0gpyXS0DIF+xiH1RHAkyw3Nzixf0vEoRRwOaRmkYk9uFTTOFDMNWEv00ZVzhjgC
gxYWHBna4KQ+S3lRpM8wlMPlpeqbjq0LsvfTO1rr/pSQ6Ml34tXVWRvrOjZeaEl4
yV0LFzInbHo9FlsABnmuAuRSD5gCMGIqiVnpChF4Cbu1WrEPi9LlID3zvXh7kED9
EjFYDeaSUUwfX/0AN4LgFuo1qj/iQ4KEDbAMo7L6dTN4AupYWatzTA1fK2K6AGYv
YdnjTrNNbomZhOSNwlZfb9SD9/S5aQDcGkMyzCzb7svSYKvx5b5+XpxJLI1daDbi
dstrLg3DvEfpGcGyOfLAu7ZOfgkZaeOZsFZj3MLQrzSlBFOZ+DYVEf0aq8iTvVt+
mrp6MlncU0FLUHngtmD7ZTJmFEgtbeUbrY/QwHvAQOCd85/0wbUf/5esBJKiiaNs
tKY7nJJ9gwslkF8FAgMBAAECggGAahAHzFt6/NOhQvVioNzGh64D5PAcw82tBwxK
rHLg/Ea03hwKx13xMxoTIa3NCLLOAWeOdxm9Stor5X7WgHvmTFvMqkq66DjcEYyA
aG6ch5JuEM2ujZwf1I0h5q7L9XZO4PIDClPAcRmBaEuLRdsP973iNFmG6C/kzlss
HDM3lPhHg4op8JSOqLgtEifxVWFPYi/UCTvEFSfCBt78mbA0aXuFl7wG9DMqchgy
JHdQacHm+MAf6vM62kbqPX0edHfr88bLSwxsOU6YZA67LUo3oXzrNx7xg3vvd37L
rY4ud3aWJcPvBra/tq7ntttD/wnPvqZcE/X/ld5YdecVf1LJo3KCAHr1P7ajc/zD
ntYPy4yThcYNe98ajTzsRJ/TWmCNL3Xm4ERHmASKuvXebx/1eHP2QEm5SZY3g79e
Pwwud84HyNqp7t7bGhJcw4IDUoVpkCChSKrBIaYBnce2vMl1d5waVOi9YGUAiFqE
8FzIlzVSn52PaSLt7QGzY3mH8lgBAoHBAOaaFmBNoDSZPj/iVS/I9HhnM1seMtdo
re/wmqXmVnPDTJbx/4BLgS0BmmaSLgv+3BmiQtu1uqIeedFTGXQTmr1GXX8cgD96
0ylHA+3BqqoM1rSmlmT+0ms8qOWWQvUSVR8R90Q+RZmk0RwzlEBpLPMrk3uX7+Wm
BsT25dn4yPtMlgT1mbBiBHYex0y9kmoX1EWobyfChdHZwLj2u713pNmmHKfjZZjK
qwRLv5hDKsMSbyx8CyITznWRtfz3tdi36QKBwQDaCEYcv13d2PjTqTc6cxhQ4ElF
hmTc8VN5IoUAPJbLuUDD/9dicLWX3euyxBJmR7pkuXk0oEPs/5Oy/rDHsDk6cZCV
qsQMgWpZKrFUbfTVn8fXfLb+CJ2IUWIeXEvp+v96OB58P7tg1Pxi+l6D2B4zXBv0
p2a+vU5/sjU/lGyCrf2OBbNQIF+Q2Xhlp8gHMBSeA6XdhgaXykrisZUkZ26OSbRf GcocjUu5+bbkikF1XS2oQ0eZnV6vr4hL4oPE2L0CgcAaQnu/1bcjpju/fJ+kxGaK
e34Opz605ve/tg92SueXYSsMmVw2GOMJ4//YJFdYCFq6FI82g9hP89Z9btAcNstN
OIEXI4C7Odpn/e1FmuM7YCDnC31e3OHLUmoNUvInBEJrOlmFDO5SE8G4S2tbdl6n
BlRSI7gu15w3u8Hq83i3nT4MLIem3VKSvOiHJaNRr4r9r7OQvIcOoZRfu8EfT0uX
eWIUAEImhxW4dIPJ7AQnmKbOUwXViJnfK4uk1fSATFkCgcBa19uumqVXi9GRDw4t
0kqtV+Xvi+F2lS48aH+V66jA1T0A7RYms+NVlWdhIoSwDO7CjOzNWoEyvAIkMC4j
5W7SxQKC+ZWZyEoxQLKGBRJf96TiSdpM2fYZGB+Tms0efi/4Em3RQxSlcdh+vOao
dGGQ8K3NL/qFOob8eZnqFcNoZ2ofxIxDtFldFt8tK80SAZx1gfuX4wHYOLce4PLN
KjNMIbV/clVdtBl7MWpcqqY/akVduDqa7JDJDo/xXj2cxNkCgcBrQYvJQqoKLcxg
z+xByX0PYJ8Vw62UjBAv38CW0pAqy/zjqfu1SUFq/UB6+D/3LR4gt5QBMJL09C6u
V7597EYUiuH19Aj3ZSol+WWzkHjubmHowc8ZazIYSycqQ3vcdR25kqd9qyhr9NKo
60oOVSOZdApc3c5ECY0WGqXhjel6aX1h3bN+lESOGaKAdmfIzI5VCoqNFDS5QovK
tJHc2MEYO5oKZYIg1pysTfcFfM5UO6XX9gH0DJdP1R/GQnoV7cw=
-----END RSA PRIVATE KEY----- [[email protected] testing]$ cat
/etc/pki/tls/certs/test_ss_crt.pem
-----BEGIN CERTIFICATE----- MIIEODCCAqACCQCzx57HUSzlRDANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMRowGAYDVQQDDBFncmVlbmJlYW50ZWNoLm5ldDAeFw0xOTA2MTIxNjM0
MzZaFw0yMDA2MTExNjM0MzZaMF4xCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZh
dWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGjAYBgNVBAMM
EWdyZWVuYmVhbnRlY2gubmV0MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
AYEAxGarBrx3JhDiEq5VVwbEFTY/GHLRnqD9X1Cti8l4s+dbdqHbr0gpyXS0DIF+
xiH1RHAkyw3Nzixf0vEoRRwOaRmkYk9uFTTOFDMNWEv00ZVzhjgCgxYWHBna4KQ+
S3lRpM8wlMPlpeqbjq0LsvfTO1rr/pSQ6Ml34tXVWRvrOjZeaEl4yV0LFzInbHo9
FlsABnmuAuRSD5gCMGIqiVnpChF4Cbu1WrEPi9LlID3zvXh7kED9EjFYDeaSUUwf
X/0AN4LgFuo1qj/iQ4KEDbAMo7L6dTN4AupYWatzTA1fK2K6AGYvYdnjTrNNbomZ
hOSNwlZfb9SD9/S5aQDcGkMyzCzb7svSYKvx5b5+XpxJLI1daDbidstrLg3DvEfp
GcGyOfLAu7ZOfgkZaeOZsFZj3MLQrzSlBFOZ+DYVEf0aq8iTvVt+mrp6MlncU0FL
UHngtmD7ZTJmFEgtbeUbrY/QwHvAQOCd85/0wbUf/5esBJKiiaNstKY7nJJ9gwsl
kF8FAgMBAAEwDQYJKoZIhvcNAQELBQADggGBAK8b7Eqo5GTDV1vgoJCl/SUUjPey
DnakNZ5rVGSmTDntgS7p1N9BaCS5JbRQkwDhRcRaGua6jH68uiAOlp03C+qZHERJ
kZOtHOhK+8Uetn2dD3G80l8OXRmAPLoJ7yEt+wBfohrC8TBScq+e8cjbCkq2lEKd
9BAFFj21dlv8gO/f8QMZjyVsrjLu4Dn1Pjlos3X8jXNNUzVRi2qtA9bLT+ldEkc6
9mcQpYVq2rX+b8uEwFqy26HEvbMjiQ7F8ocC5Kz0RrMMfnJWfELysTXwbF9IvZF1
8d1IKVY4PdhLi7ZLxtAiaUaA3u0zimPDHrlUtuu99v7mbnZ5qVYj0ekMGJ1bRmnb
bhfMqH34L2oSPpQTr9aYpuTOjpTR8juCflvcy0SUO2rinTeJK7BBWLVEhLi5JZ7v
Q2F/Lc2aP+Wot4RtvYpooBi/lB9TqhsfdWOdKEmS3fLFpNLEh4y2bNs8ENvDDtGL
tA1N791c156ih3i0Xdl7hiBV1CTwCoV1GCjyYw==
-----END CERTIFICATE----- [[email protected] testing]$

Help decrypting TLS between socket client and server

I built a socket server and socket client whose sole purpose is to communicate back and forth using TLS so I can learn how to decrypt the communication using Wireshark. While both are on the same Linux box, I will later use different machines, and they will pass back and form JSON. I've been really struggling on this and would very much appreciate some help. I've included everything I could think of but if I am missing something, please let me know. Thank you, thank you, thank you in advance.

The client has the server's certificate and the server has both the certificate and private key, and a passphrase is not being used, and I have included how I created the keys as well as the actual keys at the end of this post.

The following communication successfully occurs between the server and client.

Client connects to Server.
Server sends message to Client:
    Hello tls://127.0.0.1:38280!
    Welcome to this amazing server!
    Here's a tip: don't say anything.
Client sends message to Server:
    Hello server, how are you?
Server disconnects client.

I captured it using tshark on the remote Linux box using the following command and moved the pcap file to my Windows PC as well as a copy which is running wireshark Version 3.0.1 (see details shown at the end of this post) and also copied the server's private key.key to the Windows PC.

tshark -w /var/www/testing/public/test/filename.pcap -P -f "port 8080" -i lo

My wireshark version is Version 3.0.1 with details shown at the end of this post. I went to Edit/Preferences/Protocols/TLS, clicked Edit near RSA Keys List, and added the private key (I also added IP 127.0.0.1, port 8080, and protocol data even though it is my understanding that Wireshark ignores it). I also added think this used to work before people used forward secrecy, but no longer does, and https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/describes a path solution for a TLS debug file as well as entered a filename of sslkeylog.log for using Firefox or Chrome to log the symmetric key and configure Wireshark's (Pre)-Master-Secrete log filename to point to it. This doesn't work for me, however, as described by https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/.both machines are headless and are not using browsers to access the data. Maybe some other means to capture the symmetric key is possible?

The output is below. As far as I can tell, nothing has been decrypted and I cannot find any text other than regarding the rsa key.

image description

The debug log is listed below (however, I removed some of the repeated checking as it was originally 394kb).

What am I doing wrong? Any recommendations? Thank you!

Wireshark SSL debug log 

Wireshark version: 3.0.1 (v3.0.1-0-gea351cd8)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3

ssl_association_remove removing UDP 8080 - handle 0000017F3169EDB0
KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
ssl_init private key file C:/Users/Michael/Documents/wireshark/test_ss_key.pem successfully loaded.
ssl_init port '8080' filename 'C:/Users/Michael/Documents/wireshark/test_ss_key.pem' password(only for p12 file) ''
association_add tls.port port 8080 handle 0000017F3169EDB0

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 1687
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 66, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 66
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x17
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1094, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
Calculating hash with offset 76 1094
Certificate.KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 461, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
Calculating hash with offset 1175 461
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 46, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
Calculating hash with offset 1641 42
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 
Calculating hash with offset 1683 4

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 7, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
Calculating hash with offset 5 7
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 70, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
Calculating hash with offset 17 70
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 66d5e42f483160b31585f9b0dcf89c1c5440997f9aea04a67c265d3a222ba1a4
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 1fbf9e8aa88e24d2d6e4c12c7385d4ca336e01649f640b66828b5c208bce3cd8
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 186, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
Calculating hash with offset 5 186
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_finalize_decryption state = 0x417
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 51, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

My wireshark version is as follows:

Version 3.0.1 (v3.0.1-0-gea351cd8) 
Copyright 1998-2019 Gerald Combs <[email protected] contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlThis is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, with 8191 MB of physical memory, with locale English_United States.1252, with libpcap version 1.9.0 (packet.dll version 0.992), with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835). 
Wireshark is Open Source Software released under the GNU General Public License. 
Check the man page and http://www.wireshark.org for more information.

The client has the server's certificate and the server has both the certificate and private key, and a passphrase is not being used. I created the keys as follows which are also shown below:

openssl genpkey -algorithm RSA
-pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out test_ss_key.pem openssl req -new -key test_ss_key.pem
-sha256 -days 365 -out test_ss_csr.pem openssl rsa -in test_ss_key.pem -out
test_ss_key.pem openssl x509 -req -in
test_ss_csr.pem -signkey
test_ss_key.pem -sha256 -days 365 -out
test_ss_crt.pem

[[email protected] testing]$ cat
/etc/pki/tls/private/test_ss_key.pem
-----BEGIN RSA PRIVATE KEY----- MIIG4gIBAAKCAYEAxGarBrx3JhDiEq5VVwbEFTY/GHLRnqD9X1Cti8l4s+dbdqHb
r0gpyXS0DIF+xiH1RHAkyw3Nzixf0vEoRRwOaRmkYk9uFTTOFDMNWEv00ZVzhjgC
gxYWHBna4KQ+S3lRpM8wlMPlpeqbjq0LsvfTO1rr/pSQ6Ml34tXVWRvrOjZeaEl4
yV0LFzInbHo9FlsABnmuAuRSD5gCMGIqiVnpChF4Cbu1WrEPi9LlID3zvXh7kED9
EjFYDeaSUUwfX/0AN4LgFuo1qj/iQ4KEDbAMo7L6dTN4AupYWatzTA1fK2K6AGYv
YdnjTrNNbomZhOSNwlZfb9SD9/S5aQDcGkMyzCzb7svSYKvx5b5+XpxJLI1daDbi
dstrLg3DvEfpGcGyOfLAu7ZOfgkZaeOZsFZj3MLQrzSlBFOZ+DYVEf0aq8iTvVt+
mrp6MlncU0FLUHngtmD7ZTJmFEgtbeUbrY/QwHvAQOCd85/0wbUf/5esBJKiiaNs
tKY7nJJ9gwslkF8FAgMBAAECggGAahAHzFt6/NOhQvVioNzGh64D5PAcw82tBwxK
rHLg/Ea03hwKx13xMxoTIa3NCLLOAWeOdxm9Stor5X7WgHvmTFvMqkq66DjcEYyA
aG6ch5JuEM2ujZwf1I0h5q7L9XZO4PIDClPAcRmBaEuLRdsP973iNFmG6C/kzlss
HDM3lPhHg4op8JSOqLgtEifxVWFPYi/UCTvEFSfCBt78mbA0aXuFl7wG9DMqchgy
JHdQacHm+MAf6vM62kbqPX0edHfr88bLSwxsOU6YZA67LUo3oXzrNx7xg3vvd37L
rY4ud3aWJcPvBra/tq7ntttD/wnPvqZcE/X/ld5YdecVf1LJo3KCAHr1P7ajc/zD
ntYPy4yThcYNe98ajTzsRJ/TWmCNL3Xm4ERHmASKuvXebx/1eHP2QEm5SZY3g79e
Pwwud84HyNqp7t7bGhJcw4IDUoVpkCChSKrBIaYBnce2vMl1d5waVOi9YGUAiFqE
8FzIlzVSn52PaSLt7QGzY3mH8lgBAoHBAOaaFmBNoDSZPj/iVS/I9HhnM1seMtdo
re/wmqXmVnPDTJbx/4BLgS0BmmaSLgv+3BmiQtu1uqIeedFTGXQTmr1GXX8cgD96
0ylHA+3BqqoM1rSmlmT+0ms8qOWWQvUSVR8R90Q+RZmk0RwzlEBpLPMrk3uX7+Wm
BsT25dn4yPtMlgT1mbBiBHYex0y9kmoX1EWobyfChdHZwLj2u713pNmmHKfjZZjK
qwRLv5hDKsMSbyx8CyITznWRtfz3tdi36QKBwQDaCEYcv13d2PjTqTc6cxhQ4ElF
hmTc8VN5IoUAPJbLuUDD/9dicLWX3euyxBJmR7pkuXk0oEPs/5Oy/rDHsDk6cZCV
qsQMgWpZKrFUbfTVn8fXfLb+CJ2IUWIeXEvp+v96OB58P7tg1Pxi+l6D2B4zXBv0
p2a+vU5/sjU/lGyCrf2OBbNQIF+Q2Xhlp8gHMBSeA6XdhgaXykrisZUkZ26OSbRf GcocjUu5+bbkikF1XS2oQ0eZnV6vr4hL4oPE2L0CgcAaQnu/1bcjpju/fJ+kxGaK
e34Opz605ve/tg92SueXYSsMmVw2GOMJ4//YJFdYCFq6FI82g9hP89Z9btAcNstN
OIEXI4C7Odpn/e1FmuM7YCDnC31e3OHLUmoNUvInBEJrOlmFDO5SE8G4S2tbdl6n
BlRSI7gu15w3u8Hq83i3nT4MLIem3VKSvOiHJaNRr4r9r7OQvIcOoZRfu8EfT0uX
eWIUAEImhxW4dIPJ7AQnmKbOUwXViJnfK4uk1fSATFkCgcBa19uumqVXi9GRDw4t
0kqtV+Xvi+F2lS48aH+V66jA1T0A7RYms+NVlWdhIoSwDO7CjOzNWoEyvAIkMC4j
5W7SxQKC+ZWZyEoxQLKGBRJf96TiSdpM2fYZGB+Tms0efi/4Em3RQxSlcdh+vOao
dGGQ8K3NL/qFOob8eZnqFcNoZ2ofxIxDtFldFt8tK80SAZx1gfuX4wHYOLce4PLN
KjNMIbV/clVdtBl7MWpcqqY/akVduDqa7JDJDo/xXj2cxNkCgcBrQYvJQqoKLcxg
z+xByX0PYJ8Vw62UjBAv38CW0pAqy/zjqfu1SUFq/UB6+D/3LR4gt5QBMJL09C6u
V7597EYUiuH19Aj3ZSol+WWzkHjubmHowc8ZazIYSycqQ3vcdR25kqd9qyhr9NKo
60oOVSOZdApc3c5ECY0WGqXhjel6aX1h3bN+lESOGaKAdmfIzI5VCoqNFDS5QovK
tJHc2MEYO5oKZYIg1pysTfcFfM5UO6XX9gH0DJdP1R/GQnoV7cw=
-----END RSA PRIVATE KEY----- [[email protected] testing]$ cat
/etc/pki/tls/certs/test_ss_crt.pem
-----BEGIN CERTIFICATE----- MIIEODCCAqACCQCzx57HUSzlRDANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMRowGAYDVQQDDBFncmVlbmJlYW50ZWNoLm5ldDAeFw0xOTA2MTIxNjM0
MzZaFw0yMDA2MTExNjM0MzZaMF4xCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZh
dWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGjAYBgNVBAMM
EWdyZWVuYmVhbnRlY2gubmV0MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
AYEAxGarBrx3JhDiEq5VVwbEFTY/GHLRnqD9X1Cti8l4s+dbdqHbr0gpyXS0DIF+
xiH1RHAkyw3Nzixf0vEoRRwOaRmkYk9uFTTOFDMNWEv00ZVzhjgCgxYWHBna4KQ+
S3lRpM8wlMPlpeqbjq0LsvfTO1rr/pSQ6Ml34tXVWRvrOjZeaEl4yV0LFzInbHo9
FlsABnmuAuRSD5gCMGIqiVnpChF4Cbu1WrEPi9LlID3zvXh7kED9EjFYDeaSUUwf
X/0AN4LgFuo1qj/iQ4KEDbAMo7L6dTN4AupYWatzTA1fK2K6AGYvYdnjTrNNbomZ
hOSNwlZfb9SD9/S5aQDcGkMyzCzb7svSYKvx5b5+XpxJLI1daDbidstrLg3DvEfp
GcGyOfLAu7ZOfgkZaeOZsFZj3MLQrzSlBFOZ+DYVEf0aq8iTvVt+mrp6MlncU0FL
UHngtmD7ZTJmFEgtbeUbrY/QwHvAQOCd85/0wbUf/5esBJKiiaNstKY7nJJ9gwsl
kF8FAgMBAAEwDQYJKoZIhvcNAQELBQADggGBAK8b7Eqo5GTDV1vgoJCl/SUUjPey
DnakNZ5rVGSmTDntgS7p1N9BaCS5JbRQkwDhRcRaGua6jH68uiAOlp03C+qZHERJ
kZOtHOhK+8Uetn2dD3G80l8OXRmAPLoJ7yEt+wBfohrC8TBScq+e8cjbCkq2lEKd
9BAFFj21dlv8gO/f8QMZjyVsrjLu4Dn1Pjlos3X8jXNNUzVRi2qtA9bLT+ldEkc6
9mcQpYVq2rX+b8uEwFqy26HEvbMjiQ7F8ocC5Kz0RrMMfnJWfELysTXwbF9IvZF1
8d1IKVY4PdhLi7ZLxtAiaUaA3u0zimPDHrlUtuu99v7mbnZ5qVYj0ekMGJ1bRmnb
bhfMqH34L2oSPpQTr9aYpuTOjpTR8juCflvcy0SUO2rinTeJK7BBWLVEhLi5JZ7v
Q2F/Lc2aP+Wot4RtvYpooBi/lB9TqhsfdWOdKEmS3fLFpNLEh4y2bNs8ENvDDtGL
tA1N791c156ih3i0Xdl7hiBV1CTwCoV1GCjyYw==
-----END CERTIFICATE----- [[email protected] testing]$

Help decrypting TLS between socket client and server

I built a socket server and socket client whose sole purpose is to communicate back and forth using TLS so I can learn how to decrypt the communication using Wireshark. While both are on the same Linux box, I will later use different machines, and they will pass back and form JSON. I've been really struggling on this and would very much appreciate some help. I've included everything I could think of but if I am missing something, please let me know. Thank you, thank you, thank you in advance.

The client has the server's certificate and the server has both the certificate and private key, and a passphrase is not being used, and I have included how I created the keys as well as the actual keys at the end of this post.

The following communication successfully occurs between the server and client.

Client connects to Server.
Server sends message to Client:
    Hello tls://127.0.0.1:38280!
    Welcome to this amazing server!
    Here's a tip: don't say anything.
Client sends message to Server:
    Hello server, how are you?
Server disconnects client.

I captured it using tshark on the remote Linux box using the following command and moved the pcap file to my Windows PC which is running wireshark Version 3.0.1 (see details shown at the end of this post) and also copied the server's private key to the Windows PC.

tshark -w /var/www/testing/public/test/filename.pcap -P -f "port 8080" -i lo

I went to Edit/Preferences/Protocols/TLS, clicked Edit near RSA Keys List, and added the private key (I also added IP 127.0.0.1, port 8080, and protocol data even though it is my understanding that Wireshark ignores it). I think this used to work before people used forward secrecy, but no longer does, and https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/describes a solution for using Firefox or Chrome to log the symmetric key and configure Wireshark's (Pre)-Master-Secrete log filename to point to it. This doesn't work for me, however, as both machines are headless and are not using browsers to access the data. Maybe some other means to capture the symmetric key is possible?

The output is below. As far as I can tell, nothing has been decrypted and I cannot find any text other than regarding the rsa key.

image description

The debug log is listed below (however, I removed some of the repeated checking as it was originally 394kb).

Any recommendations? Thank you!

EDIT 6/15/2019 11:54 AM

Looks like the pem key is not needed when using the master secret, right? Any ideas what I am doing wrong? I am not certain when I need to get the session key so am doing both before and after I run the capture. As far as I can tell, nothing is decrypted. I see a note how the (pre-)master secret is empty which seems important, and other notes saying that there is no decoder. I believe the PHP warnings are just related to using self signed keys and as seen under Terminal 2, the server and client are communicating. Just to be clear, the server is located on a headless Centos box and the client is located on a headless RPi, and there is no Chrome or Firefox browser, and sslkeylog.sh is used instead, right?

### TERMINAL 1
[email protected]:~/wireshark-notes/src $ rm keys.txt
[email protected]:~/wireshark-notes/src $ ./sslkeylog.sh php -r 'echo file_get_contents("https://55.44.33.22");'
PHP Warning:  file_get_contents(): Peer certificate CN=`admin.michaelsdomain.net' did not match expected CN=`55.44.33.22' in Command line code on line 1
PHP Warning:  file_get_contents(): Failed to enable crypto in Command line code on line 1
PHP Warning:  file_get_contents(https://55.44.33.22): failed to open stream: operation failed in Command line code on line 1
[email protected]:~/wireshark-notes/src $ export SSLKEYLOGFILE=$PWD/keys.txt
[email protected]:~/wireshark-notes/src $ cat keys.txt
# SSL key logfile generated by sslkeylog.c
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08

### TERMINAL 2
[email protected]:~/wireshark-testing-deployment $ php ~/wireshark-testing-deployment/test_client.php
Attempting to connection to 55.44.33.22:1338
Hello tls://44.55.66.77:39450!
Welcome to this amazing server!
Here's a tip: don't say anything.
client Socket Close:
[email protected]:~/wireshark-testing-deployment $

### TERMINAL 1
[email protected]:~/wireshark-notes/src $ tshark -w ~/test2.pcap  -P -f "port 1338"
Capturing on 'eth0'
    1 0.000000000 10.120.11.32 → 55.44.33.22 TCP 74 39450 → 1338 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=96979256 TSecr=0 WS=128
    2 0.070249800 55.44.33.22 → 10.120.11.32 TCP 74 1338 → 39450 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=712373902 TSecr=96979256 WS=128
    3 0.070341570 10.120.11.32 → 55.44.33.22 TCP 66 39450 → 1338 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=96979263 TSecr=712373902
    4 0.080873259 10.120.11.32 → 55.44.33.22 TCP 583 39450 → 1338 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=517 TSval=96979264 TSecr=712373902
    5 0.151267746 55.44.33.22 → 10.120.11.32 TCP 66 1338 → 39450 [ACK] Seq=1 Ack=518 Win=30080 Len=0 TSval=712373983 TSecr=96979264
    6 0.158770485 55.44.33.22 → 10.120.11.32 TCP 1514 1338 → 39450 [ACK] Seq=1 Ack=518 Win=30080 Len=1448 TSval=712373990 TSecr=96979264
    7 0.158800693 10.120.11.32 → 55.44.33.22 TCP 66 39450 → 1338 [ACK] Seq=518 Ack=1449 Win=32128 Len=0 TSval=96979272 TSecr=712373990
    8 0.159511681 55.44.33.22 → 10.120.11.32 TCP 300 1338 → 39450 [PSH, ACK] Seq=1449 Ack=518 Win=30080 Len=234 TSval=712373990 TSecr=96979264
    9 0.159542358 10.120.11.32 → 55.44.33.22 TCP 66 39450 → 1338 [ACK] Seq=518 Ack=1683 Win=35072 Len=0 TSval=96979272 TSecr=712373990
   10 0.164344740 10.120.11.32 → 55.44.33.22 TCP 204 39450 → 1338 [PSH, ACK] Seq=518 Ack=1683 Win=35072 Len=138 TSval=96979272 TSecr=712373990
   11 0.236213649 55.44.33.22 → 10.120.11.32 TCP 308 1338 → 39450 [PSH, ACK] Seq=1683 Ack=656 Win=31104 Len=242 TSval=712374068 TSecr=96979272
   12 0.237161355 10.120.11.32 → 55.44.33.22 TCP 122 39450 → 1338 [PSH, ACK] Seq=656 Ack=1925 Win=37888 Len=56 TSval=96979279 TSecr=712374068
   13 0.306177356 55.44.33.22 → 10.120.11.32 TCP 192 1338 → 39450 [PSH, ACK] Seq=1925 Ack=712 Win=31104 Len=126 TSval=712374138 TSecr=96979279
   14 0.306179544 55.44.33.22 → 10.120.11.32 TCP 66 1338 → 39450 [FIN, ACK] Seq=2051 Ack=712 Win=31104 Len=0 TSval=712374138 TSecr=96979279
   15 0.307370894 10.120.11.32 → 55.44.33.22 TCP 66 39450 → 1338 [FIN, ACK] Seq=712 Ack=2052 Win=37888 Len=0 TSval=96979286 TSecr=712374138
   16 0.384023853 55.44.33.22 → 10.120.11.32 TCP 66 1338 → 39450 [ACK] Seq=2052 Ack=713 Win=31104 Len=0 TSval=712374216 TSecr=96979286
^C16 packets captured
[email protected]:~/wireshark-notes/src $ export SSLKEYLOGFILE=$PWD/keys.txt
[email protected]:~/wireshark-notes/src $ cat keys.txt
# SSL key logfile generated by sslkeylog.c
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
[email protected]pi:~/wireshark-notes/src $ ./sslkeylog.sh php -r 'echo file_get_contents("https://55.44.33.22");'
PHP Warning:  file_get_contents(): Peer certificate CN=`admin.michaelsdomain.net' did not match expected CN=`55.44.33.22' in Command line code on line 1
PHP Warning:  file_get_contents(): Failed to enable crypto in Command line code on line 1
PHP Warning:  file_get_contents(https://55.44.33.22): failed to open stream: operation failed in Command line code on line 1
[email protected]:~/wireshark-notes/src $ export SSLKEYLOGFILE=$PWD/keys.txt
[email protected]:~/wireshark-notes/src $ cat keys.txt
# SSL key logfile generated by sslkeylog.c
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
CLIENT_RANDOM 2C7DAFF2BA03C55C4CBF5890B79466FC3FD30A52B14176F841D09496D047D49F A9219D21EBD85F6DD54990F438C6E9030EF5265A7D8DAC90A2A1436E46FB853BD8A3C8D4C7807D83B6D8AFE1238236D7
CLIENT_RANDOM 2C7DAFF2BA03C55C4CBF5890B79466FC3FD30A52B14176F841D09496D047D49F A9219D21EBD85F6DD54990F438C6E9030EF5265A7D8DAC90A2A1436E46FB853BD8A3C8D4C7807D83B6D8AFE1238236D7
[email protected]:~/wireshark-notes/src $

Below debug log replaces the one in my original post which was moved to the bottom of this post.

Wireshark SSL debug log 

Wireshark version: 3.0.1 (v3.0.1-0-gea351cd8)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3

ssl_association_remove removing UDP 8080 - handle 0000017F3169EDB0
KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
ssl_init private key file C:/Users/Michael/Documents/wireshark/test_ss_key.pem successfully loaded.
ssl_init port '8080' filename 'C:/Users/Michael/Documents/wireshark/test_ss_key.pem' password(only for p12 file) ''
association_add tls.port port 8080 handle 0000017F3169EDB0

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000017F346DA4B0
0000028BF263E500
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000017F346DA4B0
0000028BF263E500
  record: offset = 0, reported_length_remaining = 1687
1448
ssl_try_set_version found version 0x0303 -> state 0x11
0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 66, 61, ssl state 0x11
0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 57 bytes, remaining 66 
ssl_try_set_version found version 0x0303 -> state 0x11
0x91
Calculating hash with offset 5 66
61
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
0x93
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x17
0x97
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
C:\Users\Michael\Documents\wireshark\sslkeylog.log
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
    matched client_handshake
client_random
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
CLIENT_RANDOM 2C7DAFF2BA03C55C4CBF5890B79466FC3FD30A52B14176F841D09496D047D49F A9219D21EBD85F6DD54990F438C6E9030EF5265A7D8DAC90A2A1436E46FB853BD8A3C8D4C7807D83B6D8AFE1238236D7
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
client_random
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
  record: offset = 71, reported_length_remaining = 1616
66, reported_length_remaining = 1382
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1094, ssl state 0x17
0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 76 71 length 1090 bytes, remaining 1170 1165 
Calculating hash with offset 76 71 1094
Certificate.KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 461, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
Calculating hash with offset 1175 461
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 46, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
Calculating hash with offset 1641 42
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 
Calculating hash with offset 1683 4
1165, reported_length_remaining = 283
  need_desegmentation: offset = 1165, reported_length_remaining = 283

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000028BF263E500
  record: offset = 0, reported_length_remaining = 466
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 461, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 457 bytes, remaining 466 
Calculating hash with offset 5 461

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000028BF263E500
  record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 46, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 5 length 38 bytes, remaining 51 
Calculating hash with offset 5 42
dissect_ssl3_handshake iteration 0 type 14 offset 47 length 0 bytes, remaining 51 
Calculating hash with offset 47 4

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000017F346DA4B0
0000028BF263E500
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 7, ssl state 0x17
0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
Calculating hash with offset 5 7
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 70, ssl state 0x17
0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
Calculating hash with offset 17 70
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
C:\Users\Michael\Documents\wireshark\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
    matched client_handshake
client_random
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
CLIENT_RANDOM 2C7DAFF2BA03C55C4CBF5890B79466FC3FD30A52B14176F841D09496D047D49F A9219D21EBD85F6DD54990F438C6E9030EF5265A7D8DAC90A2A1436E46FB853BD8A3C8D4C7807D83B6D8AFE1238236D7
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
client_random
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
97
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
C:\Users\Michael\Documents\wireshark\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
    matched client_handshake
client_random
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
CLIENT_RANDOM 2C7DAFF2BA03C55C4CBF5890B79466FC3FD30A52B14176F841D09496D047D49F A9219D21EBD85F6DD54990F438C6E9030EF5265A7D8DAC90A2A1436E46FB853BD8A3C8D4C7807D83B6D8AFE1238236D7
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 66d5e42f483160b31585f9b0dcf89c1c5440997f9aea04a67c265d3a222ba1a4
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 1fbf9e8aa88e24d2d6e4c12c7385d4ca336e01649f640b66828b5c208bce3cd8
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
client_random
ssl_finalize_decryption state = 0x17
0x97
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 86 68 offset 98 length 16214909 9519997 bytes, remaining 138 

dissect_ssl enter frame #9 #11 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000017F346DA4B0
0000028BF263E500
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 186, ssl state 0x17
0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
Calculating hash with offset 5 186
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x417
0x497
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
C:\Users\Michael\Documents\wireshark\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
CLIENT_RANDOM C40D6A85DA69AB6CF328AB558FEE929068A5F5208B052FBD30C8B7104D543341 C6089A948883FB3BEB5DB34CCF64D83487EA055C04E7BD92F37F72A84DD4E94BECE84DB90D464874D838460EE9099E08
    matched client_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
client_random
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
CLIENT_RANDOM 2C7DAFF2BA03C55C4CBF5890B79466FC3FD30A52B14176F841D09496D047D49F A9219D21EBD85F6DD54990F438C6E9030EF5265A7D8DAC90A2A1436E46FB853BD8A3C8D4C7807D83B6D8AFE1238236D7
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
client_random
ssl_finalize_decryption state = 0x417
0x497
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x417
0x497
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 91 185 offset 202 length 10706772 15473357 bytes, remaining 242 

dissect_ssl enter frame #10 #12 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000017F346DA4B0
0000028BF263E500
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 51, ssl state 0x417
0x497
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #13 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000028BF263E500
  record: offset = 0, reported_length_remaining = 126
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 121, ssl state 0x497
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
1448
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
57 bytes, remaining 66 
  record: offset = 66, reported_length_remaining = 1382
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 71 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 
1165 
  record: offset = 1165, reported_length_remaining = 283
  need_desegmentation: offset = 1165, reported_length_remaining = 283

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
466
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 12 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 457 bytes, remaining 466 

dissect_ssl enter frame #9 #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 13 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 38 bytes, remaining 51 
dissect_ssl3_handshake iteration 0 type 14 offset 47 length 0 bytes, remaining 51 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 68 offset 98 length 9519997 bytes, remaining 138 

dissect_ssl enter frame #11 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 185 offset 202 length 15473357 bytes, remaining 242 

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 126
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
1448
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
57 bytes, remaining 66 
  record: offset = 66, reported_length_remaining = 1382
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 71 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 
1165 
  record: offset = 1165, reported_length_remaining = 283
  need_desegmentation: offset = 1165, reported_length_remaining = 283

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
466
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 12 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 457 bytes, remaining 466 

dissect_ssl enter frame #9 #8 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 13 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 38 bytes, remaining 51 
dissect_ssl3_handshake iteration 0 type 14 offset 47 length 0 bytes, remaining 51 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 68 offset 98 length 9519997 bytes, remaining 138 

dissect_ssl enter frame #11 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 185 offset 202 length 15473357 bytes, remaining 242 

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #13 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000028BF2619780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 126
dissect_ssl3_record: content_type 23 Application Data

My wireshark version is as follows:

Version 3.0.1 (v3.0.1-0-gea351cd8) 
Copyright 1998-2019 Gerald Combs <[email protected] contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.htmlThis is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 
Running on 64-bit Windows 10 (1803), build 17134, with Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, with 8191 MB of physical memory, with locale English_United States.1252, with libpcap version 1.9.0 (packet.dll version 0.992), with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835). 
Wireshark is Open Source Software released under the GNU General Public License. 
Check the man page and http://www.wireshark.org for more information.

The client has the server's certificate and the server has both the certificate and private key, and a passphrase is not being used. I created the keys as follows which are also shown below:

openssl genpkey -algorithm RSA
-pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out test_ss_key.pem openssl req -new -key test_ss_key.pem
-sha256 -days 365 -out test_ss_csr.pem openssl rsa -in test_ss_key.pem -out
test_ss_key.pem openssl x509 -req -in
test_ss_csr.pem -signkey
test_ss_key.pem -sha256 -days 365 -out
test_ss_crt.pem

[[email protected] testing]$ cat
/etc/pki/tls/private/test_ss_key.pem
-----BEGIN RSA PRIVATE KEY----- MIIG4gIBAAKCAYEAxGarBrx3JhDiEq5VVwbEFTY/GHLRnqD9X1Cti8l4s+dbdqHb
r0gpyXS0DIF+xiH1RHAkyw3Nzixf0vEoRRwOaRmkYk9uFTTOFDMNWEv00ZVzhjgC
gxYWHBna4KQ+S3lRpM8wlMPlpeqbjq0LsvfTO1rr/pSQ6Ml34tXVWRvrOjZeaEl4
yV0LFzInbHo9FlsABnmuAuRSD5gCMGIqiVnpChF4Cbu1WrEPi9LlID3zvXh7kED9
EjFYDeaSUUwfX/0AN4LgFuo1qj/iQ4KEDbAMo7L6dTN4AupYWatzTA1fK2K6AGYv
YdnjTrNNbomZhOSNwlZfb9SD9/S5aQDcGkMyzCzb7svSYKvx5b5+XpxJLI1daDbi
dstrLg3DvEfpGcGyOfLAu7ZOfgkZaeOZsFZj3MLQrzSlBFOZ+DYVEf0aq8iTvVt+
mrp6MlncU0FLUHngtmD7ZTJmFEgtbeUbrY/QwHvAQOCd85/0wbUf/5esBJKiiaNs
tKY7nJJ9gwslkF8FAgMBAAECggGAahAHzFt6/NOhQvVioNzGh64D5PAcw82tBwxK
rHLg/Ea03hwKx13xMxoTIa3NCLLOAWeOdxm9Stor5X7WgHvmTFvMqkq66DjcEYyA
aG6ch5JuEM2ujZwf1I0h5q7L9XZO4PIDClPAcRmBaEuLRdsP973iNFmG6C/kzlss
HDM3lPhHg4op8JSOqLgtEifxVWFPYi/UCTvEFSfCBt78mbA0aXuFl7wG9DMqchgy
JHdQacHm+MAf6vM62kbqPX0edHfr88bLSwxsOU6YZA67LUo3oXzrNx7xg3vvd37L
rY4ud3aWJcPvBra/tq7ntttD/wnPvqZcE/X/ld5YdecVf1LJo3KCAHr1P7ajc/zD
ntYPy4yThcYNe98ajTzsRJ/TWmCNL3Xm4ERHmASKuvXebx/1eHP2QEm5SZY3g79e
Pwwud84HyNqp7t7bGhJcw4IDUoVpkCChSKrBIaYBnce2vMl1d5waVOi9YGUAiFqE
8FzIlzVSn52PaSLt7QGzY3mH8lgBAoHBAOaaFmBNoDSZPj/iVS/I9HhnM1seMtdo
re/wmqXmVnPDTJbx/4BLgS0BmmaSLgv+3BmiQtu1uqIeedFTGXQTmr1GXX8cgD96
0ylHA+3BqqoM1rSmlmT+0ms8qOWWQvUSVR8R90Q+RZmk0RwzlEBpLPMrk3uX7+Wm
BsT25dn4yPtMlgT1mbBiBHYex0y9kmoX1EWobyfChdHZwLj2u713pNmmHKfjZZjK
qwRLv5hDKsMSbyx8CyITznWRtfz3tdi36QKBwQDaCEYcv13d2PjTqTc6cxhQ4ElF
hmTc8VN5IoUAPJbLuUDD/9dicLWX3euyxBJmR7pkuXk0oEPs/5Oy/rDHsDk6cZCV
qsQMgWpZKrFUbfTVn8fXfLb+CJ2IUWIeXEvp+v96OB58P7tg1Pxi+l6D2B4zXBv0
p2a+vU5/sjU/lGyCrf2OBbNQIF+Q2Xhlp8gHMBSeA6XdhgaXykrisZUkZ26OSbRf GcocjUu5+bbkikF1XS2oQ0eZnV6vr4hL4oPE2L0CgcAaQnu/1bcjpju/fJ+kxGaK
e34Opz605ve/tg92SueXYSsMmVw2GOMJ4//YJFdYCFq6FI82g9hP89Z9btAcNstN
OIEXI4C7Odpn/e1FmuM7YCDnC31e3OHLUmoNUvInBEJrOlmFDO5SE8G4S2tbdl6n
BlRSI7gu15w3u8Hq83i3nT4MLIem3VKSvOiHJaNRr4r9r7OQvIcOoZRfu8EfT0uX
eWIUAEImhxW4dIPJ7AQnmKbOUwXViJnfK4uk1fSATFkCgcBa19uumqVXi9GRDw4t
0kqtV+Xvi+F2lS48aH+V66jA1T0A7RYms+NVlWdhIoSwDO7CjOzNWoEyvAIkMC4j
5W7SxQKC+ZWZyEoxQLKGBRJf96TiSdpM2fYZGB+Tms0efi/4Em3RQxSlcdh+vOao
dGGQ8K3NL/qFOob8eZnqFcNoZ2ofxIxDtFldFt8tK80SAZx1gfuX4wHYOLce4PLN
KjNMIbV/clVdtBl7MWpcqqY/akVduDqa7JDJDo/xXj2cxNkCgcBrQYvJQqoKLcxg
z+xByX0PYJ8Vw62UjBAv38CW0pAqy/zjqfu1SUFq/UB6+D/3LR4gt5QBMJL09C6u
V7597EYUiuH19Aj3ZSol+WWzkHjubmHowc8ZazIYSycqQ3vcdR25kqd9qyhr9NKo
60oOVSOZdApc3c5ECY0WGqXhjel6aX1h3bN+lESOGaKAdmfIzI5VCoqNFDS5QovK
tJHc2MEYO5oKZYIg1pysTfcFfM5UO6XX9gH0DJdP1R/GQnoV7cw=
-----END RSA PRIVATE KEY----- [[email protected] testing]$ cat
/etc/pki/tls/certs/test_ss_crt.pem
-----BEGIN CERTIFICATE----- MIIEODCCAqACCQCzx57HUSzlRDANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMRowGAYDVQQDDBFncmVlbmJlYW50ZWNoLm5ldDAeFw0xOTA2MTIxNjM0
MzZaFw0yMDA2MTExNjM0MzZaMF4xCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZh
dWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGjAYBgNVBAMM
EWdyZWVuYmVhbnRlY2gubmV0MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
AYEAxGarBrx3JhDiEq5VVwbEFTY/GHLRnqD9X1Cti8l4s+dbdqHbr0gpyXS0DIF+
xiH1RHAkyw3Nzixf0vEoRRwOaRmkYk9uFTTOFDMNWEv00ZVzhjgCgxYWHBna4KQ+
S3lRpM8wlMPlpeqbjq0LsvfTO1rr/pSQ6Ml34tXVWRvrOjZeaEl4yV0LFzInbHo9
FlsABnmuAuRSD5gCMGIqiVnpChF4Cbu1WrEPi9LlID3zvXh7kED9EjFYDeaSUUwf
X/0AN4LgFuo1qj/iQ4KEDbAMo7L6dTN4AupYWatzTA1fK2K6AGYvYdnjTrNNbomZ
hOSNwlZfb9SD9/S5aQDcGkMyzCzb7svSYKvx5b5+XpxJLI1daDbidstrLg3DvEfp
GcGyOfLAu7ZOfgkZaeOZsFZj3MLQrzSlBFOZ+DYVEf0aq8iTvVt+mrp6MlncU0FL
UHngtmD7ZTJmFEgtbeUbrY/QwHvAQOCd85/0wbUf/5esBJKiiaNstKY7nJJ9gwsl
kF8FAgMBAAEwDQYJKoZIhvcNAQELBQADggGBAK8b7Eqo5GTDV1vgoJCl/SUUjPey
DnakNZ5rVGSmTDntgS7p1N9BaCS5JbRQkwDhRcRaGua6jH68uiAOlp03C+qZHERJ
kZOtHOhK+8Uetn2dD3G80l8OXRmAPLoJ7yEt+wBfohrC8TBScq+e8cjbCkq2lEKd
9BAFFj21dlv8gO/f8QMZjyVsrjLu4Dn1Pjlos3X8jXNNUzVRi2qtA9bLT+ldEkc6
9mcQpYVq2rX+b8uEwFqy26HEvbMjiQ7F8ocC5Kz0RrMMfnJWfELysTXwbF9IvZF1
8d1IKVY4PdhLi7ZLxtAiaUaA3u0zimPDHrlUtuu99v7mbnZ5qVYj0ekMGJ1bRmnb
bhfMqH34L2oSPpQTr9aYpuTOjpTR8juCflvcy0SUO2rinTeJK7BBWLVEhLi5JZ7v
Q2F/Lc2aP+Wot4RtvYpooBi/lB9TqhsfdWOdKEmS3fLFpNLEh4y2bNs8ENvDDtGL
tA1N791c156ih3i0Xdl7hiBV1CTwCoV1GCjyYw==
-----END CERTIFICATE----- [[email protected] testing]$

Wireshark log file from original post (no longer applicable?)

Wireshark SSL debug log 

Wireshark version: 3.0.1 (v3.0.1-0-gea351cd8)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3

ssl_association_remove removing UDP 8080 - handle 0000017F3169EDB0
KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
ssl_init private key file C:/Users/Michael/Documents/wireshark/test_ss_key.pem successfully loaded.
ssl_init port '8080' filename 'C:/Users/Michael/Documents/wireshark/test_ss_key.pem' password(only for p12 file) ''
association_add tls.port port 8080 handle 0000017F3169EDB0

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 512, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 
Calculating hash with offset 5 512
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 1687
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 66, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
ssl_try_set_version found version 0x0303 -> state 0x11
Calculating hash with offset 5 66
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x17
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 1094, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
Calculating hash with offset 76 1094
Certificate.KeyID[20]:
| fc e8 45 0c cd 91 7d d9 05 0b 44 86 b0 00 ba a5 |..E...}...D.....|
| a5 6f 0f 23                                     |.o.#            |
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 461, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
Calculating hash with offset 1175 461
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 46, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
Calculating hash with offset 1641 42
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 
Calculating hash with offset 1683 4

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 7, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
Calculating hash with offset 5 7
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 70, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
Calculating hash with offset 17 70
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 f161790139c1a00f5bec14eee3ea6c4ef4063933bfe357f2498262783f0029d6
    matched server_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 66d5e42f483160b31585f9b0dcf89c1c5440997f9aea04a67c265d3a222ba1a4
    matched client_handshake
  checking keylog line: SERVER_HANDSHAKE_TRAFFIC_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 1fbf9e8aa88e24d2d6e4c12c7385d4ca336e01649f640b66828b5c208bce3cd8
    matched server_handshake
  checking keylog line: CLIENT_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 8c7daef9ef4137e9b7cba7dd2c378e71ccb4236100984bc7452a490b04217dc2
    matched client_appdata
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 186, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
Calculating hash with offset 5 186
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use TLS keylog in C:\Users\Michael\Documents\sslkeylog.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: CLIENT_HANDSHAKE_TRAFFIC_SECRET e37be05cae3e4d88642685da9a2fc7e35a35f2ecdb048a7a460667ec81225662 84a50b86610dac0b536a5db2b65be20d656f26e7844e97e99f809d7ce2c56633
    matched client_handshake
...APPROXIMATELY 900 LINES WERE REMOVED
  checking keylog line: SERVER_TRAFFIC_SECRET_0 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 b3a004a8a560552fc6c9b60b0412068ddd4b4e5263670e0f5947ee5bc9589c58
    matched server_appdata
  checking keylog line: EXPORTER_SECRET 0e9d952a7bef90e108bcd58e804b98d5cdecccc474d1e7d755b5300a67c96321 c9019eaf2cf1360d2be9617aa78c543015e3966a51ebcc63e8afae09710a0abd
    matched exporter
ssl_finalize_decryption state = 0x417
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 40, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000017F346DA4B0
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 51, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 508 bytes, remaining 517 

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1687
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 
  record: offset = 71, reported_length_remaining = 1616
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 76 length 1090 bytes, remaining 1170 
  record: offset = 1170, reported_length_remaining = 517
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 1175 length 457 bytes, remaining 1636 
  record: offset = 1636, reported_length_remaining = 51
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 1641 length 38 bytes, remaining 1687 
dissect_ssl3_handshake iteration 0 type 14 offset 1683 length 0 bytes, remaining 1687 

dissect_ssl enter frame #8 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 138
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 3 bytes, remaining 12 
  record: offset = 12, reported_length_remaining = 126
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 17 length 66 bytes, remaining 87 
  record: offset = 87, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 93, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 86 offset 98 length 16214909 bytes, remaining 138 

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 242
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 182 bytes, remaining 191 
  record: offset = 191, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 197, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 91 offset 202 length 10706772 bytes, remaining 242 

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000017F346B5780, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 56
dissect_ssl3_record: content_type 23 Application Data