Wireshark-bugs: [Wireshark-bugs] [Bug 11263] TLS 1.2 Packet Capture with PMS Data

Date: Fri, 12 Jun 2015 02:06:38 +0000

Comment # 2 on bug 11263 from
(In reply to Peter Wu from comment #1)
> Used by https://code.wireshark.org/review/8803
> 
> I can already decrypt the capture with the existing key logfile formats:
> 
>     awk '{print "CLIENT_RANDOM " $2 " " $4}' test_traffic_pms.txt >
> premaster.txt
> 
> Why invent a new one? The key logfile is pretty widespread, what is the
> advantage of having another format?

Creating a new format is not my intention.  My intention is to create an avenue
for decrypting capture files when the CLIENT_RANDOM (CR) and PMS can be
determined or guessed, and for whatever reason, the MS cannot be recovered.  In
your script, you are simply using the CLIENT_RANDOM+MS here.  Under the
intended use case this fact will not be true.  I kept the MS parameter as an
artifact to avoid introducing problems/bugs through the creation of a new RegEx
to parse the files in the Wireshark SSL decryption utility.    

In the test files, the MS is valid, which has caused some confusion (sorry). 
The presumption for this feature is that the MS key was or cannot be recovered.
 Under these circumstances if the user is lucky enough to recover the PMS, they
can use the CR+PMS to calculate the MS to perform decryption decryption.   

This file is produced with a script, not a program that follows a given
standard.  In this case, the MS, PMS, and CR values are captured directly from
the servers memory in a predictable manner, and the script merged them into a
file.  The MS values could have just as easily been invalid, but the decryption
would have still happened.  Let me know if this does not clarify your
confusion.


You are receiving this mail because:
  • You are watching all bug changes.