I've looked around for similar logs, but found no actual solution. Dump was taken using
Log: pastebin Dump: cloudshark I'm out of ideas what may be wrong, some time earlier it worked as usual, but now it does not. asked 31 Dec '12, 04:56 Alexey Pelykh edited 31 Dec '12, 05:26 Kurt Knochner ♦ |
One Answer:
The only SSL/TLS connections in that capture file are to servers of whatsapp.net. Do you have access to their private key? If no, then you cannot decrypt those SSL connections. See the SSL wiki:
If yes (because you are the WhatsApp CEO or the web server admin), then you have entered the key in the wrong format, hence the following message in the debug file:
What are you trying to do? Regards answered 31 Dec '12, 05:35 Kurt Knochner ♦ edited 31 Dec '12, 05:40 Yes, I don't have private key, but the odd thing is: dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 86, reported_length_remaining = 1374 need_desegmentation: offset = 86, reported_length_remaining = 1374 (31 Dec '12, 05:41) Alexey Pelykh
Then you cannot decrypt SSL, unless you have found a secret bug in the SSL encryption scheme ;-) An alternative would be to use the '(Pre)-Master-Secret' output by the SSL client (see SSL wiki). (31 Dec '12, 05:44) Kurt Knochner ♦ Kurt is right, @Alexey. SSL is purposely designed to be unencryptable by a man-in-the-middle, which is what Wireshark is. In absence of the remote site's private key, you would need to have state information generated on the fly within the local program setting up the SSL session. Read more about SSL and you will see why this is the case. (02 Jan '13, 06:20) Warren Young Totally agree :) Just over-debugged myself, shame on me :) (02 Jan '13, 06:39) Alexey Pelykh |
Probably it's due to https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3303