Wireshark-bugs: [Wireshark-bugs] [Bug 6196] New: Incomplete decryption of multiple TLS record la
Date: Wed, 3 Aug 2011 14:23:49 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6196 Summary: Incomplete decryption of multiple TLS record layers in single packet Product: Wireshark Version: 1.6.1 Platform: x86 OS/Version: Windows XP Status: NEW Severity: Normal Priority: Low Component: Wireshark AssignedTo: bugzilla-admin@xxxxxxxxxxxxx ReportedBy: toby.bearden@xxxxxxxxx Build Information: Version 1.6.1 (SVN Rev 38096 from /trunk-1.6) Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 18 2011), with AirPcap. Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap. Built using Microsoft Visual C++ 9.0 build 21022 -- I have a TLS session that I am trying to decrypt. I have the server private key entered for the ip/port in use, and it partially decrypts the session, but the server response comes back with 2 TLS record layers with only the first one being decrypted. I look at the ssl debug file and it looks like the first record is identified as "from server - TRUE" and uses the server decrypt, but the second record says "from server - FALSE" and uses client decrypt which obviously fails. I don't see the same behavior on the client packets with multiple TLS record layers. See below for server packet debug log... dissect_ssl enter frame #427 (first time) conversation = 051C7820, ssl_session = 051C7B88 record: offset = 0, reported_length_remaining = 334 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 206, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 206 Ciphertext[206]: 68 f2 c5 cc 3e 3d fe fa b8 8a 1d 50 d6 11 cf 2a 65 38 8f 3a 0e 9e 5d 3d 9e 18 4e bc 20 9c 22 e5 10 82 7c a2 f9 9b 0a 38 66 cb 51 fa bf 41 a7 1d d7 34 d2 eb e2 ca 6a 11 d5 19 1e ed 51 1d 4b 83 31 5b c6 ab 56 7b 25 4f 12 6f 25 4f 46 3b ca f5 1f 37 c3 29 20 97 86 3e 1b 5b 32 0a 8f df 02 7b 6c 2a 10 48 a2 31 7f 9d e9 fb f1 a3 de 03 c1 37 58 30 9f e7 cf 93 10 00 18 a9 62 c5 4b c8 10 91 28 52 da fe 92 bb 57 ca 06 f2 c7 b6 9d fe 93 48 4b c5 88 95 36 ab da c3 b6 82 35 ca 3c 28 60 eb ce a0 da b5 9b d8 1a af 1e 46 0e c8 57 c0 f3 f0 50 76 b3 6b b9 14 29 52 70 5b d2 35 cc d4 8b 5f 03 8d a1 9a 3f ff ae 21 3a b0 66 cc 9c 8e Plaintext[206]: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 33 20 41 75 67 20 32 30 31 31 20 31 38 3a 30 33 3a 35 34 20 47 4d 54 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 53 65 72 76 6c 65 74 20 32 2e 35 3b 20 4a 42 6f 73 73 2d 35 2e 30 2f 4a 42 6f 73 73 57 65 62 2d 32 2e 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 39 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a e0 a5 e9 87 07 b4 9f 06 57 84 e5 de 58 1c 14 4c cf d6 8e 76 checking mac (len 186, version 301, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: e0 a5 e9 87 07 b4 9f 06 57 84 e5 de 58 1c 14 4c cf d6 8e 76 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 186, seq = 0, nxtseq = 186 association_find: TCP port 443 found 046C6C80 dissect_ssl3_record decrypted len 186 decrypted app data fragment: HTTP/1.1 200 OK Date: Wed, 03 Aug 2011 18:03:54 GMT X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Content-Type: text/plain;charset=UTF-8 Content-Length: 98 Connection: close dissect_ssl3_record found association 046C6C80 record: offset = 211, reported_length_remaining = 123 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 118, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 118 Ciphertext[118]: 7a 69 a4 59 b7 dc cf 1a a4 5e c3 29 8d 11 55 5b 0c 84 c8 33 fb 31 42 e3 7d de a2 cb 4b 74 fd 48 bf 44 6c bf c0 1b 7e db f0 b9 d0 f8 58 f9 9b ba 6a d8 a1 93 f8 96 ce 0d 94 36 2e e1 48 8b 82 dc 38 24 ed e2 67 ca 0c 8a c6 f6 e2 c2 d9 36 6c e9 87 7e de 39 55 13 d7 76 be dd 85 fd 92 c9 f5 7f ae 48 2d 42 b5 a4 52 ee 47 fc ab 21 e4 3f d5 78 39 c3 c1 82 63 90 Plaintext[118]: d9 96 ce 3d 9c 4d f0 22 c3 d6 0a d5 4c 09 41 a2 f1 62 6e 76 e7 c8 3c df a5 2f 28 13 b4 12 9e 95 8a 67 aa b1 a1 fe dd 4b fe 5a ca 2a 26 e1 c2 23 9a 70 34 2d 3b a5 8f 05 ac 4d 59 0c 00 25 35 06 a0 5d 4c bf 91 c6 6e d8 41 2b c2 ff fb df bd 06 2a 3c 7f e7 2b 90 09 8c 6c 80 a5 22 18 a3 42 53 fb 0c c2 4c 94 1b f8 0f cf 4d 07 48 da 3b 7f 7d f5 43 21 b5 7a c0 checking mac (len 98, version 301, ct 23 seq 4) tls_check_mac mac type:SHA1 md 2 Mac[20]: 48 1e 58 6f 06 49 ee 77 63 2a 42 95 05 03 f0 62 ee e4 0d 92 ssl_decrypt_record: mac failed association_find: TCP port 18516 found 00000000 association_find: TCP port 21584 found 00000000 association_find: TCP port 0 found 00000000 -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 5750] Error while capturing packets: read error: PacketReceivePacket failed
- Next by Date: [Wireshark-bugs] [Bug 5750] Error while capturing packets: read error: PacketReceivePacket failed
- Previous by thread: [Wireshark-bugs] [Bug 3196] Enhancement to Expert Info Composite Tab Labels
- Next by thread: [Wireshark-bugs] [Bug 6197] New: Buildbot crash output: fuzz-2011-08-03-6784.pcap
- Index(es):