Wireshark-users: Re: [Wireshark-users] HTTP/2 decrytion with sslkeylog

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Thu, 19 Jan 2017 11:56:57 +0000


On 19 January 2017 at 06:38, Muhui Jiang <jiangmuhui@xxxxxxxxx> wrote:
Hi all

Thanks for your replied, I just thought that I may not get the reply anymore.

Thanks Miroslav Rovis. Thanks for your encouragement, though I still didn't figure my problem out. I tried nearly one hundred times, which makes me doubt about myself :(.   But I will continue work on this problem.

I ever asked the same question in ask.wireshark.org, but get no answer. I ever see someone who post articles introducing the HTTP/2 decryption,which is nearly the same as SSL decryption. I tried, but failed. 

Here I want to say again, anyone who has decrypt the HTTP/2 successfully and completely, I hope to get your help to tell me your configurations and environments. Thank you so much.

Besides, do you think whether I need to post this question to the dev-mailing list, which may get a appropriate solution.

Regards
Muhui


The dev mailing list is for development questions so wouldn't generally be appropriate for this type of question unless it turns out to be a bug.

As all Wireshark contributors, bar Gerald, are volunteers on the project our ability to respond to user questions, or bugs or anything else is limited by our time, our abilities and our curiosity.

In this particular case it would seem that no-one else has a capture of TLS encrypted HTTP2 traffic with the associated keylog so that the decryption could be tested.  Providing such a capture and keylog and the Wireshark ssl debug log along with question is much more likely to get a response.  The docs aren't very clear on the use of the ssl debug log, but it's set in the SSL dissector preferences.

Fundamentally, I don't think using HTTP2 is any different to HTTP as far as TLS decryption is concerned and as decryption of that works the probability is that there's something wrong in the originators decryption setup.  Pre-master secret decryption is part of the tests run for every build resulting from a Wireshark commit to the source repository, e.g. https://buildbot.wireshark.org/wireshark-master/builders/Windows%20Server%202012%20R2%20x64/builds/2660/steps/test.sh/logs/stdio (look for Section 6 decryption).



2017-01-19 10:00 GMT+08:00 Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>:
On 170118-18:51+0000, Graham Bloice wrote:
> On 18 January 2017 at 18:43, Jim Aragon <Jim@xxxxxxxxxxxxxxxxx> wrote:
>
> > At 09:39 AM 1/18/2017, you wrote:
> >
> > >(Not much at all from me, but...)
> > >But for some reason, it seems the talk has gone elsewhere, or that lost
> > >of poeple are even afraid to learn what is really happening with in their
> > >machines when on the internet...
> >
> > You're right, the talk has gone elsewhere. Specifically, almost everyone
> > who used to monitor the mailing list has moved to the Wireshark Question
> > and Answer site, ask.wireshark.org. That's now a better place for asking
> > Wireshark questions, and you are much more likely to get an answer there.
> >
> >
> Where the appropriate question is:
> https://ask.wireshark.org/questions/58758/http2-decrytion-with-sslkeylog
and where it hasn't received any replies yet either ;-)

I've watched not a small number of videos from Wireshark people
recently, and I have to say I've become all the more of a fan of people
who make the reading of the network available to all the end users of
the world who are not afraid of learning.

I'm (almost) 60 and I don't memorize names and events/procedures/facts
unless I re-read/re-view/re-talk on the subject of the memorization,
but...

But I just very much like Gerald who invented Wireshark...

And the CEO of the Riverbed (the Yankees fan and the baseball judge) is
great too (God, what a fascinating pedagogical, heuristical, simple but
comprising explanations!)... Terribly intriguing that he don't like
coloring in Wireshark ;-) !

And the guy that currently works on the anonymization program, and who
is a good English speaker but is German/Austrian/<some-other-Teutonic>
national (originally)...

And the guy I think, who in 2014(?) made Wireshark decrypt SSL! Sake
Blok or so? The Dutch scuba diver...

And the other one who Evangelically (in the non-denominative Christian
way) gave everything to the poor, and now came back and works, and still
doesn't even have the car or a house of his own... but is so happy!

And the Japanese girl...

And the others... I've currently little time, I sure always dump local
traces (local till I find the money to do it properly, even running
another machine for tracing is too costly at this time...)... Always,
but only, that...  And I have too little time right now to
re-read/re-view as I said above that I need...

And I'm glad that the company is doing great!

Regards to everybody!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr




--
Graham Bloice