Re: HTTP/2 decrytion with sslkeylog

[Miroslav Rovis <miro.rovis () croatiafidelis hr>]

On 170119-11:56+0000, Graham Bloice wrote:
> On 19 January 2017 at 06:38, Muhui Jiang <jiangmuhui () gmail com> wrote:
>
> > Hi all
> >
> > Thanks for your replied, I just thought that I may not get the reply
> > anymore.
> >
> > Thanks Miroslav Rovis. Thanks for your encouragement,
You are welcome, Muhui!

> > though I still
> > didn't figure my problem out. I tried nearly one hundred times, which makes
> > me doubt about myself :(.   But I will continue work on this problem.
> >
> > I ever asked the same question in ask.wireshark.org, but get no answer. I
> > ever see someone who post articles introducing the HTTP/2 decryption,which
> > is nearly the same as SSL decryption. I tried, but failed.
It may not be too late, if you go the way that Graham Boice suggest
below.

> > Here I want to say again, anyone who has decrypt the HTTP/2 successfully
> > and completely, I hope to get your help to tell me your configurations and
> > environments. Thank you so much.
I haven't, because I disable HTTP2/SPDY, but I have been posting
complete or near complete (usually only when I need to remove
frame.number's with passwords) traces (less important, but appealing to
non-experts: along with screencasts), and surely along with the
corresponding part of the $SSLKELOGFILE's at (my NGO's website):
http://www.croatiafidelis.hr/foss/cap/
(
latest example being the directory:
Secret Agent Palemoon Addon
http://www.croatiafidelis.hr/foss/cap/cap-170117-SA/
where I don't know it the (near) complete story, yet to follow, will be
of much use to solve the issue in question there with the developer of
the addon, which I needed to publish my attempt about contacting the
dev at:
Secret Agent issues
https://forum.palemoon.org/viewtopic.php?f=50&t=14541
> > Besides, do you think whether I need to post this question to the
> > dev-mailing list, which may get a appropriate solution.
> >
> > Regards
> > Muhui
> The dev mailing list is for development questions so wouldn't generally be
> appropriate for this type of question unless it turns out to be a bug.
>
> As all Wireshark contributors, bar Gerald, are volunteers on the project
> our ability to respond to user questions, or bugs or anything else is
> limited by our time, our abilities and our curiosity.
>
> In this particular case it would seem that no-one else has a capture of TLS
> encrypted HTTP2 traffic with the associated keylog so that the decryption
> could be tested.

This is what I have beeing doing on my NGO's website that I linked
above:
> Providing such a capture and keylog and the Wireshark ssl
> debug log along with question is much more likely to get a response.
That above is important!
( Essentially, for any lurking readers, go from:
https://wiki.wireshark.org/SSL
and you can also use my:
https://github.com/miroR/tshark-streams once you setup keylogging ;-) )

> The docs aren't very clear on the use of the ssl debug log, but it's
> set in the SSL dissector preferences.
>
> Fundamentally, I don't think using HTTP2 is any different to HTTP as far as
> TLS decryption is concerned and as decryption of that works the probability
> is that there's something wrong in the originators decryption setup.
Another important point above!

And the below is, at this stage, above me ;-) . Well, also because I'm
out of time...
> Pre-master secret decryption is part of the tests run for every build
> resulting from a Wireshark commit to the source repository, e.g.
> https://buildbot.wireshark.org/wireshark-master/builders/Windows%20Server%202012%20R2%20x64/builds/2660/steps/test.sh/logs/stdio
> (look for Section 6 decryption).
>
>
> > 2017-01-19 10:00 GMT+08:00 Miroslav Rovis <miro.rovis () croatiafidelis hr>:
> >
> > > On 170118-18:51+0000, Graham Bloice wrote:
> > > > On 18 January 2017 at 18:43, Jim Aragon <Jim () agdatasystems com> wrote:
> > > >
> > > > > At 09:39 AM 1/18/2017, you wrote:
> > > > >
> > > > > > (Not much at all from me, but...)
> > > > > > But for some reason, it seems the talk has gone elsewhere, or that
> > > lost
> > > > > > of poeple are even afraid to learn what is really happening with in
> > > their
> > > > > > machines when on the internet...
> > > > >
> > > > > You're right, the talk has gone elsewhere. Specifically, almost
> > > everyone
> > > > > who used to monitor the mailing list has moved to the Wireshark
> > > Question
> > > > > and Answer site, ask.wireshark.org. That's now a better place for
> > > asking
> > > > > Wireshark questions, and you are much more likely to get an answer
> > > there.
> > > > >
> > > > Where the appropriate question is:
> > > > https://ask.wireshark.org/questions/58758/http2-decrytion-
> > > with-sslkeylog
> > > and where it hasn't received any replies yet either ;-)
> > >
> > > I've watched not a small number of videos from Wireshark people
> > > recently, and I have to say I've become all the more of a fan of people
> > > who make the reading of the network available to all the end users of
> > > the world who are not afraid of learning.
> > >
> > > I'm (almost) 60 and I don't memorize names and events/procedures/facts
> > > unless I re-read/re-view/re-talk on the subject of the memorization,
> > > but...
> > >
> > > But I just very much like Gerald who invented Wireshark...
> > >
> > > And the CEO of the Riverbed (the Yankees fan and the baseball judge) is
> > > great too (God, what a fascinating pedagogical, heuristical, simple but
> > > comprising explanations!)... Terribly intriguing that he don't like
> > > coloring in Wireshark ;-) !
> > >
> > > And the guy that currently works on the anonymization program, and who
> > > is a good English speaker but is German/Austrian/<some-other-Teutonic>
> > > national (originally)...
> > >
> > > And the guy I think, who in 2014(?) made Wireshark decrypt SSL! Sake
> > > Blok or so? The Dutch scuba diver...
> > >
> > > And the other one who Evangelically (in the non-denominative Christian
> > > way) gave everything to the poor, and now came back and works, and still
> > > doesn't even have the car or a house of his own... but is so happy!
> > >
> > > And the Japanese girl...
> > >
> > > And the others... I've currently little time, I sure always dump local
> > > traces (local till I find the money to do it properly, even running
> > > another machine for tracing is too costly at this time...)... Always,
> > > but only, that...  And I have too little time right now to
> > > re-read/re-view as I said above that I need...
> > >
> > > And I'm glad that the company is doing great!
> > >
> > > Regards to everybody!
> > > --
> > > Miroslav Rovis
> > > Zagreb, Croatia
> > > http://www.CroatiaFidelis.hr
>
>
> -- 
> Graham Bloice

So you too are a dev! It would take me many more years of hard work to
become one, but I admire you guys and gals! Thank you for your kindness!

And I wish Muhui good luck in, if that is the underlying issue, getting
the setup right, and then getting the necessary support!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe