Wireshark mailing list archives
Re: Strange SSL decode issue (SUPL, ULP)
From: Sake Blok <sake () euronet nl>
Date: Tue, 28 Apr 2015 13:04:37 +0200
On 27 apr 2015, at 14:46, Ralf G. R. Bergs wrote:
I enabled the SSL debug logging, and I noticed the following: For the trace that can't be decrypted I see the following:ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_decrypt_pre_master_secret: session uses DH (17) key exchange, which is impossible to decryptwhile for the snoop that can be decrypted I see the following:ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 pre master encrypted[256]:and then a key in hex follows.I can see from the snoop that the SSL/TLS dialog takes place. I see client hello, server hello, certificate, server key exchange, server hello, client key exchange, change cipher spec, encrypted handshake message, change cipher spec, encrypted handshake message, multiple application data packets back and forth, encrypted alerts twice. So it seems client and server /can/ talk.
Yes, the endpoints can communicate...
Conclusion: Wireshark seems to somehow be able to use the RSA key to decrypt the SSL/TLS traffic.
... but Wireshark is only able to decrypt traffic when a RSA key exchange has been used. In a RSA key exchange, there is no ServerKeyExchange handshake message (used for the Diffie Hellman [DH] key exchange). As the client uses the public key in the Certificate to encrypt the PreMaster data (from which both the client and the server extract the session keys used for encrypting the application data). In short, in a DH key exchange, wireshark can not decrypt the ClientKeyExchange and therefor can not extract the session keys used for encrypting the data stream. You can make sure decryption works in three ways: - Limit the cipher suites on the client, so that it only advertises non-DH ciphersuites - Limit the cipher suites on the server, so that it only chooses non-DH ciphersuites (from the ciphersuites advertised by the client) - Make the client or the server log the PreMaster data and point Wireshark to the key log file in the "(Pre-)MasterSecret logfile" SSL protocol preference. Hope this helps, Cheers, Sake
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 16)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 17)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 27)
- Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 28)
- Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)