Wireshark-bugs: [Wireshark-bugs] [Bug 6594] New: Failure to decrypt some SSL streams

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 17 Nov 2011 08:35:50 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6594

           Summary: Failure to decrypt some SSL streams
           Product: Wireshark
           Version: 1.6.3
          Platform: x86
        OS/Version: Windows 7
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: mcclown@xxxxxxxxx


Created an attachment (id=7429)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7429)
A capture with ssl decryption failing.

Build Information:
Version 1.6.3 (SVN Rev 39702 from /trunk-1.6)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Nov
 1 2011), with AirPcap.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022

--
Hi,

I've been looking a collection of SSL sites with Wireshark and a debug build of
Firefox that dumps the SSL pre-master secrets so that I can use them to decrypt
the SSL traffic. Wireshark now supports working with these dumps since the
patch in #4349 was applied. As part of this work I've noticed a few bugs or
missing features in wiresharks SSL decryption functionality. I've opened this
issue to track one of them.

I've attached two captures where there are some SSL streams that Wireshark
completely failed to decrypt. These captures were run on a completely new
machine that had just been built, so there shouldn't be any problems with
session resumption or anything like that. The simplest way to open up these
captures with the key file is to call Wireshark from the command line like
this: 

wireshark.exe -o ssl.keylog_file:"<path to keyfile>" <path to pcap>



>From looking at the captures these differences stick out from my other
captures: 

- they both use TLS_RSA_WITH_CAMELLIA_256_CBC_SHA as their cypher suite, I
haven't noticed any other captures using this but I haven't done a conclusive
search through them.

- 'Server Hello', 'Certificate' and 'Server Hello Done' are all in the one
packet. In the other ~20 captures I've looked at 'Server Hello' was in it's own
packet.

- SSL handshake 'Finished' messages from both the client and the server aren't
being decrypted. They're showing up as 'Encrypted Handshake Message' instead.
In the ssl debug file I get the following error for the first of these packets:

ssl_generate_keyring_material not enough data to generate key (0x53 required
0x37 or 0x57)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.