Wireshark · Wireshark-users: Re: [Wireshark-users] TLSv1 decode problem

Wireshark-users: Re: [Wireshark-users] TLSv1 decode problem

From: Michael Kaps <info@xxxxxxxxxxxxxxxxxxx>

Date: Tue, 21 Dec 2010 21:55:26 +0100

Am 21.12.2010 18:36, schrieb Sake Blok:

On 21 dec 2010, at 17:30, info@xxxxxxxxxxxxxxxxxxx wrote:

I am trying to decode TLSv1 SSL traffic with wireshark and
pem-certificate under Windows.

Unfortunately the SSL debug log says:

decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

This only means that for the SSL-record that is currently dissected, there is not yet keying information available. These messages also appear when decrypting does take place. Could you provide the ssl-debug log up to the last packet of the SSL handshake?

Cheers,


Sake


___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Okay, at the beginning the log says, that the private key file wassuccessfully loaded.


Here is the handshake from the ssl logfile:

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 05271B9C size 584
  conversation = 05271868, ssl_session = 05271B9C
  record: offset = 0, reported_length_remaining = 120
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 115, ssl state 0x00
association_find: TCP port 2021 found 00000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl3_handshake iteration 1 type 1 offset 5 length 111 bytes,remaining 120

packet_from_server: is from server - FALSE
ssl_find_private_key server xxx.xxx.xxx.xxx:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #5 (first time)
  conversation = 05271868, ssl_session = 05271B9C
  record: offset = 0, reported_length_remaining = 146
dissect_ssl3_record found version 0x0300 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 74, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,remaining 79

dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys

ssl_generate_keyring_material not enough data to generate key (0x17required 0x37 or 0x57)

dissect_ssl3_hnd_srv_hello can't generate keyring material
  record: offset = 79, reported_length_remaining = 67
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 85, reported_length_remaining = 61
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 56, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl3_handshake iteration 1 type 12 offset 90 length 11457484bytes, remaining 146


dissect_ssl enter frame #6 (first time)
  conversation = 05271868, ssl_session = 05271B9C
  record: offset = 0, reported_length_remaining = 672
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 6, reported_length_remaining = 666
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 56, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl3_handshake iteration 1 type 169 offset 11 length 14909829bytes, remaining 67

  record: offset = 67, reported_length_remaining = 605
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 600, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 2021 found 00000000
association_find: TCP port 443 found 0464ACA0

dissect_ssl enter frame #4 (already visited)
  conversation = 05271868, ssl_session = 00000000
  record: offset = 0, reported_length_remaining = 120
dissect_ssl3_record: content_type 22

dissect_ssl3_handshake iteration 1 type 1 offset 5 length 111 bytes,remaining 120


dissect_ssl enter frame #5 (already visited)
  conversation = 05271868, ssl_session = 00000000
  record: offset = 0, reported_length_remaining = 146
dissect_ssl3_record: content_type 22

dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes,remaining 79

  record: offset = 79, reported_length_remaining = 67
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
  record: offset = 85, reported_length_remaining = 61
dissect_ssl3_record: content_type 22

dissect_ssl3_handshake iteration 1 type 12 offset 90 length 11457484bytes, remaining 146


dissect_ssl enter frame #6 (already visited)
  conversation = 05271868, ssl_session = 00000000
  record: offset = 0, reported_length_remaining = 672
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
  record: offset = 6, reported_length_remaining = 666
dissect_ssl3_record: content_type 22

dissect_ssl3_handshake iteration 1 type 169 offset 11 length 14909829bytes, remaining 67

  record: offset = 67, reported_length_remaining = 605
dissect_ssl3_record: content_type 23
association_find: TCP port 2021 found 00000000
association_find: TCP port 443 found 0464ACA0

dissect_ssl enter frame #7 (first time)
  conversation = 05271868, ssl_session = 05271B9C
  record: offset = 0, reported_length_remaining = 386
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 381, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 443 found 0464ACA0

Unfortunately I really don't know what I am doing wrong.

Best regards

Michael

References:
- [Wireshark-users] TLSv1 decode problem
  - From: info
- Re: [Wireshark-users] TLSv1 decode problem
  - From: Sake Blok

Prev by Date: [Wireshark-users] Parsing headerless UDP packets with Wireshark
Next by Date: Re: [Wireshark-users] TLSv1 decode problem
Previous by thread: Re: [Wireshark-users] TLSv1 decode problem
Next by thread: Re: [Wireshark-users] TLSv1 decode problem
Index(es):
- Date
- Thread