This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why isn’t Application Data being decoded in SSL transactions?

0

I have an SSL trace on CloudShark below my question. My question is why isn't the "Application Data" being decrypted in the trace? How can I get it decoded or can I? I keep seeing this in the debug

dissect_ssl enter frame #86 (first time)
conversation = 04C66A1C, ssl_session = 04C675D0
record: offset = 0, reported_length_remaining = 2480
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 2475, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 2480 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 79 length 2393 bytes, remaining 2480 
dissect_ssl3_handshake iteration 0 type 14 offset 2476 length 0 bytes, remaining 2480

dissect_ssl enter frame #94 (first time)
conversation = 04C66A1C, ssl_session = 04C675D0
record: offset = 0, reported_length_remaining = 267
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
pre master encrypted[256]:

Looking at the debug file, the certificate gets loaded successfully. There are examples on frames 56 and 169. Any help would be appreciated.

http://cloudshark.org/captures/77ff76bbe6e0?filter=tcp.port%20%3D%3D%20443

Terry

asked 14 Sep ‘12, 20:09

tcoder's gravatar image

tcoder
0568
accept rate: 0%

What I have is something unusual. I have server A (HTTPS) going to client B (HTTPS). Server C (raw data) goes to client B (raw data). Server A is an authorization server. Server C is a data offload server.

Both servers are on the same PC. It was setup as a simple trace; there was no merging of files. (I wrote the server code.)

Client B gets through to both servers via a dialup modem router. Therefore the frame rate should be slow.

Why do I get “decrypt_ssl3_record: no decoder available”?

Thanks for your help.

(15 Sep ‘12, 07:25) tcoder

I believe you get “No decoder available” because the session has not entered the encrypted stage yet at that point in time (frame #86 seems to be the ServerHello message)

(15 Sep ‘12, 15:21) SYN-bit ♦♦

One Answer:

1

Somehow there are two identical sessions in the trace file, the SSL dissector is not really good at handling that. You might want to filter out one complete stream and save that to a separate file. You can also use "edit -> ignore packet" to ignore the frames in the secondary TCP session.

How was the trace file made? I don not see any vlan tags and the mac-addresses of these sessions are the same (as are the IP addresses, IP ID's, TCP ports and TCP sequence numbers). Did you merge the same pcap file twice into a new pcap file?

answered 15 Sep '12, 00:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks. Tracing only one interface helped.

(16 Sep '12, 12:02) tcoder

The fix was as you said. Reduce the traffic and trace on only one interface. Thanks.

(17 Sep '12, 10:09) tcoder