First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

decrypt TLS (cipher ECDHE ) using SSLKEYLOGFILE

Hi !

I want to decrypt TLS frames with wireshark. I saw with the server Hello that ECDHE is used so RSA key is useless.

But even with SSLKEYLOGFILE decryption don't work.

Here is an extract of my ssl debug file :

dissect_ssl enter frame #355 (first time)
packet_from_server: is from server - TRUE
  conversation = 0x55b3f6b2d370, ssl_session = 0x55b3f6b2e970
  record: offset = 0, reported_length_remaining = 2658
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 323, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 319 bytes, remaining 328 
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 323
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0xC02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -> state 0x97
ssl_dissect_hnd_hello_ext_alpn: changing handle (nil) to 0x55b3f385b390 (http2)trying to use SSL keylog in /home/lsalamani/sslkeylog.log
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
  record: offset = 328, reported_length_remaining = 2330
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 2197, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 333 length 2193 bytes, remaining 2530 
Calculating hash with offset 333 2197
lookup(KeyID)[20]:
| d4 88 42 e9 5d 7a c0 36 9d 5b d2 65 8f f4 0c 54 |..B.]z.6.[.e...T|
| 54 d7 0f 30                                     |T..0            |
ssl_find_private_key_by_pubkey: lookup result: (nil)
  record: offset = 2530, reported_length_remaining = 128
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 114, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 2535 length 110 bytes, remaining 2649 
Calculating hash with offset 2535 114
  record: offset = 2649, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 2654 length 0 bytes, remaining 2658 
Calculating hash with offset 2654 4
updated 2018-05-18 09:05:53 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

Your ssl dbg log is virtually unreadable due to the formatting. Can you edit your question and simply paste the contents of the log file in, highlight it and then click the code button (101010) to format it as code?

grahamb's avatar grahamb (2018-05-18 09:30:18 +0000) edit
more
  • delete

Thanks to the tips ! It's done

leandre's avatar leandre (2018-05-18 09:33:08 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Apparently it was a problem with chromium which don't update the sslkeylogfile. With Chrome it seems to work fine !

leandre's avatar
1
leandre
answered 2018-05-18 11:33:10 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer