Hi,
As the debug log says, one backend node does while the other doesn't use a DH
key exchange. I would look carefully at the crypto configuration of both backend
nodes.
Thanks,
Jaap
On 04/14/2015 10:28 PM, Ralf G. R. Bergs wrote:
> Hi there.
>
> I have a strange issue decoding SUPL traffic (i. e. ULP protocol traffic
> encrypted with TLS).
>
> As I operate the SUPL server I have the server private key.
>
> I took two snoops on two different frontends (we proxy the traffic on the
> frontend to the backend nodes using HAProxy; the SSL connection is not
> terminated on HAProxy, but it is transparently forwarded to the backend and
> terminated/decrypted there), and the sessions were handled by two different
> backend nodes.
>
> The problem is that I can decrypt one snoop (i. e. there are lines with protocol
> "ULP" in the dump,) while the other snoop fails to decrypt (i. e. . I checked to
> make sure that there is no problem on the backend node WRT to X.509 setup (Java
> keystore).
>
> WireShark is set up in a way that in the protocol prefs for SSL I have in the
> RSA key list the private key file specified for IP address "any" and port
> "7275," and the protocol is "ulp."
>
> I enabled the SSL debug logging, and I noticed the following: For the trace that
> can't be decrypted I see the following:
>> ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
>> ssl_decrypt_pre_master_secret: session uses DH (17) key exchange, which is
>> impossible to decrypt
> while for the snoop that /can/ be decrypted I see the following:
>> ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
>> pre master encrypted[256]:
> and then a key in hex follows.
>
> I have no clue how to further investigate this issue, my only guess that this is
> a bug in WireShark.
>
> Any advice?
>
> If it helps I could send the SSL debug logs, but I would remove all hex dump
> from them as I know too little about this, and I can't inadvertently disclose
> the server private key.
>
> Kind regards,
>
> Ralf
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>