Wireshark-users: Re: [Wireshark-users] HTTP/2 decrytion with sslkeylog

From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Thu, 19 Jan 2017 14:03:31 +0100
On 170119-11:56+0000, Graham Bloice wrote:
> On 19 January 2017 at 06:38, Muhui Jiang <jiangmuhui@xxxxxxxxx> wrote:
> 
> > Hi all
> >
> > Thanks for your replied, I just thought that I may not get the reply
> > anymore.
> >
> > Thanks Miroslav Rovis. Thanks for your encouragement,
You are welcome, Muhui!

> > though I still
> > didn't figure my problem out. I tried nearly one hundred times, which makes
> > me doubt about myself :(.   But I will continue work on this problem.
> >
> > I ever asked the same question in ask.wireshark.org, but get no answer. I
> > ever see someone who post articles introducing the HTTP/2 decryption,which
> > is nearly the same as SSL decryption. I tried, but failed.
It may not be too late, if you go the way that Graham Boice suggest
below.

> > Here I want to say again, anyone who has decrypt the HTTP/2 successfully
> > and completely, I hope to get your help to tell me your configurations and
> > environments. Thank you so much.
I haven't, because I disable HTTP2/SPDY, but I have been posting
complete or near complete (usually only when I need to remove
frame.number's with passwords) traces (less important, but appealing to
non-experts: along with screencasts), and surely along with the
corresponding part of the $SSLKELOGFILE's at (my NGO's website):
http://www.croatiafidelis.hr/foss/cap/
(
latest example being the directory:
Secret Agent Palemoon Addon
http://www.croatiafidelis.hr/foss/cap/cap-170117-SA/
where I don't know it the (near) complete story, yet to follow, will be
of much use to solve the issue in question there with the developer of
the addon, which I needed to publish my attempt about contacting the
dev at:
Secret Agent issues
https://forum.palemoon.org/viewtopic.php?f=50&t=14541
> > Besides, do you think whether I need to post this question to the
> > dev-mailing list, which may get a appropriate solution.
> >
> > Regards
> > Muhui
> >
> >
> The dev mailing list is for development questions so wouldn't generally be
> appropriate for this type of question unless it turns out to be a bug.
> 
> As all Wireshark contributors, bar Gerald, are volunteers on the project
> our ability to respond to user questions, or bugs or anything else is
> limited by our time, our abilities and our curiosity.
> 
> In this particular case it would seem that no-one else has a capture of TLS
> encrypted HTTP2 traffic with the associated keylog so that the decryption
> could be tested.

This is what I have beeing doing on my NGO's website that I linked
above:
> Providing such a capture and keylog and the Wireshark ssl
> debug log along with question is much more likely to get a response.
That above is important!
( Essentially, for any lurking readers, go from:
https://wiki.wireshark.org/SSL
and you can also use my:
https://github.com/miroR/tshark-streams once you setup keylogging ;-) )

> The docs aren't very clear on the use of the ssl debug log, but it's
> set in the SSL dissector preferences.
> 
> Fundamentally, I don't think using HTTP2 is any different to HTTP as far as
> TLS decryption is concerned and as decryption of that works the probability
> is that there's something wrong in the originators decryption setup.
Another important point above!

And the below is, at this stage, above me ;-) . Well, also because I'm
out of time...
> Pre-master secret decryption is part of the tests run for every build
> resulting from a Wireshark commit to the source repository, e.g.
> https://buildbot.wireshark.org/wireshark-master/builders/Windows%20Server%202012%20R2%20x64/builds/2660/steps/test.sh/logs/stdio
> (look for Section 6 decryption).
> 
> 
> >
> > 2017-01-19 10:00 GMT+08:00 Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>:
> >
> >> On 170118-18:51+0000, Graham Bloice wrote:
> >> > On 18 January 2017 at 18:43, Jim Aragon <Jim@xxxxxxxxxxxxxxxxx> wrote:
> >> >
> >> > > At 09:39 AM 1/18/2017, you wrote:
> >> > >
> >> > > >(Not much at all from me, but...)
> >> > > >But for some reason, it seems the talk has gone elsewhere, or that
> >> lost
> >> > > >of poeple are even afraid to learn what is really happening with in
> >> their
> >> > > >machines when on the internet...
> >> > >
> >> > > You're right, the talk has gone elsewhere. Specifically, almost
> >> everyone
> >> > > who used to monitor the mailing list has moved to the Wireshark
> >> Question
> >> > > and Answer site, ask.wireshark.org. That's now a better place for
> >> asking
> >> > > Wireshark questions, and you are much more likely to get an answer
> >> there.
> >> > >
> >> > >
> >> > Where the appropriate question is:
> >> > https://ask.wireshark.org/questions/58758/http2-decrytion-
> >> with-sslkeylog
> >> and where it hasn't received any replies yet either ;-)
> >>
> >> I've watched not a small number of videos from Wireshark people
> >> recently, and I have to say I've become all the more of a fan of people
> >> who make the reading of the network available to all the end users of
> >> the world who are not afraid of learning.
> >>
> >> I'm (almost) 60 and I don't memorize names and events/procedures/facts
> >> unless I re-read/re-view/re-talk on the subject of the memorization,
> >> but...
> >>
> >> But I just very much like Gerald who invented Wireshark...
> >>
> >> And the CEO of the Riverbed (the Yankees fan and the baseball judge) is
> >> great too (God, what a fascinating pedagogical, heuristical, simple but
> >> comprising explanations!)... Terribly intriguing that he don't like
> >> coloring in Wireshark ;-) !
> >>
> >> And the guy that currently works on the anonymization program, and who
> >> is a good English speaker but is German/Austrian/<some-other-Teutonic>
> >> national (originally)...
> >>
> >> And the guy I think, who in 2014(?) made Wireshark decrypt SSL! Sake
> >> Blok or so? The Dutch scuba diver...
> >>
> >> And the other one who Evangelically (in the non-denominative Christian
> >> way) gave everything to the poor, and now came back and works, and still
> >> doesn't even have the car or a house of his own... but is so happy!
> >>
> >> And the Japanese girl...
> >>
> >> And the others... I've currently little time, I sure always dump local
> >> traces (local till I find the money to do it properly, even running
> >> another machine for tracing is too costly at this time...)... Always,
> >> but only, that...  And I have too little time right now to
> >> re-read/re-view as I said above that I need...
> >>
> >> And I'm glad that the company is doing great!
> >>
> >> Regards to everybody!
> >> --
> >> Miroslav Rovis
> >> Zagreb, Croatia
> >> http://www.CroatiaFidelis.hr
> >>
> >>
> 
> 
> -- 
> Graham Bloice

So you too are a dev! It would take me many more years of hard work to
become one, but I admire you guys and gals! Thank you for your kindness!

And I wish Muhui good luck in, if that is the underlying issue, getting
the setup right, and then getting the necessary support!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: Digital signature