gRPC traffic dissector with TLSv1.3

grpc
TLS
dissector
protobuf
retag add tags

Hey, I am trying to read some gRPC traffic that has been encrypted over TLSv1.3, but so far I am not having any success. I am using a client and a server written in C++, and exporting the tls session key to a txt file which has the following format:
SERVER_HANDSHAKE_TRAFFIC_SECRET val
CLIENT_HANDSHAKE_TRAFFIC_SECRET val
EXPORTER_SECRET val
SERVER_TRAFFIC_SECRET_0 val
CLIENT_TRAFFIC_SECRET_0 val

I put this file in the field (Pre)-Master-Secret log filename of the TLS protocol settings. At that point I expect to be able to read the traffic but that is not the case. Is the format of key correct and/or am I misunderstanding something ? Did someone succeed in doing this ?

TLS logs:
Those suspicious line:
- tls13_load_secret Cannot find SERVER_TRAFFIC_SECRET_0, decryption impossible
- tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible

But I can't make any sense of this, since those variable are in the file.

Thanks ! I can put sample files if needed.

Stew4690

asked 2023-07-04 14:26:29 +0000, updated 2023-07-04 15:18:30 +0000

edit flag offensive 0 remove flag close merge delete

Comments

TLS - Preference Settings - have you tried enabling the debug file and checking the output for errors?

Chuckc (2023-07-04 14:54:20 +0000) edit

Just did that and updated post but I don't really understand why it doesn't find the variable.

Stew4690 (2023-07-04 15:19:22 +0000) edit

There is a tls13-debug.txt attached to issue 12779: Add TLS 1.3 support

Does your log have the trying to use SSL keylog in "filename" entry?

Chuckc (2023-07-04 15:42:27 +0000) edit

It has trying to use TLS keylog in "path to filename"

Stew4690 (2023-07-04 15:52:45 +0000) edit

Can you share the debug log or the capture and key log file?
(Place them on a public file share and add the link in the question above)

Chuckc (2023-07-05 00:24:11 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

Okay, found the answer, the issue came from the end of line format. The file was on CRLF and not LF so wireshark was reading the whole file as a single line. My bad... Thanks for your help !

Stew4690

answered 2023-07-05 09:58:22 +0000

edit flag offensive 0 remove flag delete link

Comments

It would help if you add the output of wireshark -v or Help->About Wireshark:Wireshark to the question.
The example I gave in the issues was from an older version of Wireshark so ssl vs tls.
There was a somewhat related issue with dfilters that might also need to be applied to the key log files.
18082: "dfilter" file on Windows adds carriage returns, and requires line feeds

Chuckc (2023-07-05 12:40:18 +0000) edit

Are you still open to sharing the original files and Wireshark version info?
I modified the openssl_keylog.txt in issue 12779 to have CRLF EOL and the decode works fine in Wireshark 4.0.6.

Chuckc (2023-07-05 14:39:54 +0000) edit

My bad

No, our bad. Given that text files may be written on Windows and read in a UN*X Wireshark, or written on a UN*X system and read in a Windows Wireshark, we need to be able to handle text files with LF-only line endings in the Windows version of Wireshark and handle text files with CR-LF line endings in the UN*X version(s) of Wireshark.

Please file an issue on this on the Wireshark issues list.

Guy Harris (2023-07-05 19:14:41 +0000) edit

I will share the files when I get my other pc back. Also the issue might come from how the log file is created in C++, it might not be directly related to LF/CRLF, I will do more test when I have some time.

Stew4690 (2023-07-06 06:50:17 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

gRPC traffic dissector with TLSv1.3 edit

Comments

1 Answer

Comments