First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

(Pre)-Master-Secret TLS decryption not working on Mac

Hello

I'm trying to decrypt TLSv1.2 with reference to the following page.

Using the (Pre)-Master-Secret https://wiki.wireshark.org/TLS

My Environment is following.

Mac : Ventura 13.3.1(22E261) Chrome : 114.0.5735.133(Official Build) (x86_64) Wireshark : Version 4.0.6 (v4.0.6-0-gac2f5a01286a).

Chrome constantly updates ssl-key-log file.

I set SSLKEYLOGFILE path as "(Pre)-Master-Secret log filename" in Wireshark.

But TLS decryption is not working.

The following, encrypted display will appear.

Encrypted Application Data: 7e7b734de5867a290b3429a7794766752e8dfc28f1efbd4aeafeb0c6aa94dc24ee0a9f4b…

Is there any way to verify that Wireshark is referencing the SSLKEYLOGFILE and performing the decryption ?

omlet's avatar
1
omlet
asked 2023-06-18 08:37:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Set the TLS debug file that is mentioned in the Preferences section on the wiki page.

Chuckc's avatar Chuckc (2023-06-18 10:12:52 +0000) edit
more
  • delete

Set the TLS debug file that is mentioned in the Preferences section on the wiki page.

I've got following message in TLS debug file.

dissect_ssl enter frame #23294 (first time)
    packet_from_server: is from server - FALSE
    conversation = 0x7f95796645d0, ssl_session = 0x7f9579664d30
    record: offset = 0, reported_length_remaining = 57
    dissect_ssl3_record: content_type 23 Application Data
    decrypt_ssl3_record: app_data len 52, ssl state 0x10
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
omlet's avatar omlet (2023-06-25 03:43:03 +0000) edit
more
  • delete

Thank you very much. Resolved.

omlet's avatar omlet (2023-06-25 04:08:17 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Did you:

  1. Close ALL Chrome windows before starting the capture?
  2. Start Chrome from the terminal window where you set the SSLKEYLOGFILE environment variable?

If you select the packet with the encrypted Application Data, and then apply the filter tcp.stream==${tcp.stream}, do you see the full TLS handshake? Does the handshake show a "Finished" from both sides or does it show "encrypted handshake" message from both sides?

If you want to check if the functionality actually works, you can download a trace of mine from https://www.cloudshark.org/captures/1... and you will find the TLS session key in the capture file comments (see: capture file properties).

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-06-19 12:26:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much. Resolved.

I mistakenly thought that the Protocol was not compounded when I saw the message "Encrypted Application Data" in the TLS record.

When I looked at the record with protocol HTTP2, I was able to view the decrypted message.

omlet's avatar omlet (2023-06-25 04:07:47 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer