Ask Your Question

rpecka's profile - activity

2019-11-21 14:34:28 +0000 received badge  Notable Question (source)
2019-11-21 14:34:28 +0000 received badge  Famous Question (source)
2018-07-31 12:07:38 +0000 received badge  Popular Question (source)
2018-04-11 13:32:40 +0000 commented answer Can't see encrypted application data in SSL session

Thanks a lot for your help, I really appreciate it, this has been a headache for me for a while. I have full access to t

2018-04-11 13:29:25 +0000 marked best answer Can't see encrypted application data in SSL session

Hi,

I'm having some trouble trying to inspect SSL encrypted websocket traffic from an iOS device that I have proxied through my Mac. I used tcpdump to create a .pcap

I've spent a bit of time going through old forum posts to find a solution to this and I believe I've eliminated the following issues:

  • The sessions I'm trying to view do not use a Diffie-Hellman key exchange (NOTE: some requests in the list DO use it but I am not trying to look at those ones. Frames I would like to see are frames like 16510, 16578, and 16580.)
  • The certificate and private key I have provided do match the ones used in the requests because I have not received a mismatch error.
  • I started the tcpdump before I started the application who's traffic I'm trying to inspect so I CAN see that every handshake is captured.

My ssldebug is below.

Thanks in advance!

Wireshark SSL debug log

Wireshark version: 2.4.5 (v2.4.5-0-g153e867)
GnuTLS version:    3.4.17
Libgcrypt version: 1.7.7

2668 bytes read
PKCS#12 imported
Bag 0/0: PKCS#8 Encrypted key
KeyID[20]:
| 9e 19 ff 04 83 81 7f 56 cf 9b b4 0c 3d f2 6d ea |.......V....=.m.|
| 3b e1 8b 43                                     |;..C            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file KEY_FILE_LOCATION_REDACTED successfully loaded.
ssl_init port '443' filename 'FILENAME_REDACTED' password(only for p12 file) 'PASSWORD_REDACTED'
association_add ssl.port port 443 handle 0x118d71f20

dissect_ssl enter frame #153 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c659530, ssl_session = 0x11c659600
  record: offset = 0, reported_length_remaining = 239
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 234, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 230 bytes, remaining 239
Calculating hash with offset 5 234
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #154 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c659d90, ssl_session = 0x11c659e60
  record: offset = 0, reported_length_remaining = 240
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 235, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 231 bytes, remaining 240
Calculating hash with offset 5 235
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #155 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c65a5f0, ssl_session = 0x11c65a6c0
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 240, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 236 bytes, remaining 245
Calculating hash with offset 5 240
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #156 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x11c65ae50, ssl_session = 0x11c65af20
  record: offset = 0, reported_length_remaining = 238
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 233, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using ...
(more)
2018-04-11 13:29:25 +0000 received badge  Scholar (source)
2018-04-11 03:17:37 +0000 commented answer Can't see encrypted application data in SSL session

This means I can't view the data, correct?

2018-04-10 15:34:00 +0000 commented question Can't see encrypted application data in SSL session

The ssldebug is too long so I can't edit the post. I just noticed there's a typo in the list of example frames I want to

2018-04-10 15:30:16 +0000 asked a question Can't see encrypted application data in SSL session

Can't see encrypted application data in SSL session Hi, I'm having some trouble trying to inspect SSL encrypted websoc