This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have an SSL trace on CloudShark below my question. My question is why isn't the "Application Data" being decrypted in the trace? How can I get it decoded or can I? I keep seeing this in the debug

dissect_ssl enter frame #86 (first time)
conversation = 04C66A1C, ssl_session = 04C675D0
record: offset = 0, reported_length_remaining = 2480
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 2475, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 2480 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
dissect_ssl3_hnd_srv_hello trying to generate keys
ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)
dissect_ssl3_hnd_srv_hello can't generate keyring material
dissect_ssl3_handshake iteration 0 type 11 offset 79 length 2393 bytes, remaining 2480 
dissect_ssl3_handshake iteration 0 type 14 offset 2476 length 0 bytes, remaining 2480

dissect_ssl enter frame #94 (first time)
conversation = 04C66A1C, ssl_session = 04C675D0
record: offset = 0, reported_length_remaining = 267
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
pre master encrypted[256]:

Looking at the debug file, the certificate gets loaded successfully. There are examples on frames 56 and 169. Any help would be appreciated.

http://cloudshark.org/captures/77ff76bbe6e0?filter=tcp.port%20%3D%3D%20443

Terry

asked 14 Sep '12, 20:09

tcoder's gravatar image

tcoder
0568
accept rate: 0%

What I have is something unusual. I have server A (HTTPS) going to client B (HTTPS). Server C (raw data) goes to client B (raw data). Server A is an authorization server. Server C is a data offload server.

Both servers are on the same PC. It was setup as a simple trace; there was no merging of files. (I wrote the server code.)

Client B gets through to both servers via a dialup modem router. Therefore the frame rate should be slow.

Why do I get "decrypt_ssl3_record: no decoder available"?

Thanks for your help.

(15 Sep '12, 07:25) tcoder

I believe you get "No decoder available" because the session has not entered the encrypted stage yet at that point in time (frame #86 seems to be the ServerHello message)

(15 Sep '12, 15:21) SYN-bit ♦♦

Somehow there are two identical sessions in the trace file, the SSL dissector is not really good at handling that. You might want to filter out one complete stream and save that to a separate file. You can also use "edit -> ignore packet" to ignore the frames in the secondary TCP session.

How was the trace file made? I don not see any vlan tags and the mac-addresses of these sessions are the same (as are the IP addresses, IP ID's, TCP ports and TCP sequence numbers). Did you merge the same pcap file twice into a new pcap file?

permanent link

answered 15 Sep '12, 00:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks. Tracing only one interface helped.

(16 Sep '12, 12:02) tcoder

The fix was as you said. Reduce the traffic and trace on only one interface. Thanks.

(17 Sep '12, 10:09) tcoder
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×122
×26

question asked: 14 Sep '12, 20:09

question was seen: 3,371 times

last updated: 17 Sep '12, 12:57

p​o​w​e​r​e​d by O​S​Q​A