This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I've been trying to decrypt the ssl traffic on chrome using the pre-master secret log method, here is what I did:

  1. osx, downloaded latest chrome dev version.
  2. defined SSLKEYLOGFILE as a env variable
  3. made sure my wireshark(1.10.7) is gnutls build, see end of message.

  4. in wireshark, configed the ssl config to point to the exact file, also make sure the file can be read by anyone( chmod 777)

  5. load my page and start capturing.

I can see that: 1.there is content in the keylog file, there are many roles, all like : CLIENT_RANDOM fdf7092065550a275290721dd44565cd77e................ 2. there was handshake steps at the beginning 3. there is data flow in ssl 4. tried to 'decode' the packages data as 'ssl'

however, I just can not get the traffic decoded.

what am i missing?

thanks,

Compiled (64-bit) with GTK+ 2.24.17, with Cairo 1.10.2, with Pango 1.30.1, with GLib 2.36.0, with libpcap, with libz 1.2.3, without POSIX capabilities, without libnl, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 16 2013 19:05:52), with AirPcap.

asked 17 May '14, 09:29

swang's gravatar image

swang
1111
accept rate: 0%

trying to use SSL keylog in /Users/swang/keylog
  checking keylog line: # SSL/TLS secrets log file, generated by NSS
    line does not match

(saw many like like such, based on the log lines in keylog file dumped by chrom dev version)

 cannot find master secret in keylog file either
dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC02B
  record: offset = 99, reported_length_remaining = 1249
  need_desegmentation: offset = 99, reported_length_remaining = 1249

Any suggestions how/what I should look into in the ssl log to get teh root cause?

(18 May '14, 10:12) swang

dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC02B

Your version of Wireshark does not know the cipher (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ( 0xc02b )). That cipher has been implemented in the development build. Please download the latest development build (1.11.x) and the cipher should be recognized.

Regards
Kurt

permanent link

answered 19 May '14, 11:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

thanks, I actually tried that yesterday.

well, I now am able to see some content in the ssllog, decoded, but : 1. doesn't seems to be full, I only saw the client to server traffic get partially decoded, not server to client data.

  1. this is just in the ssl debug log. I still don't see it in the main trace.
(19 May '14, 11:45) swang

please add comments as comments, not as answers (see the site FAQ)! Thank you.

(19 May '14, 11:47) Kurt Knochner ♦

please add more of the ssl debug file.

(19 May '14, 11:47) Kurt Knochner ♦

hmm, the debug file is pretty big, I am not sure which part you actually need. (the scenario I am investigating is for file upload, so there is a large amount of data in the ssl log.)

Like I said, i can see meaningful data in the log getting decoded, but on the wireshark trace. I still don't see decoded content. Any pointer on how to get that fixed?

(19 May '14, 11:51) swang
1

Any pointer on how to get that fixed?

hard to tell without any error message ;-)

Can you upload the debug file to google drive, dropbox, etc. and post the link here?

(19 May '14, 14:49) Kurt Knochner ♦

I am a novice to using Wireshark (and to using SO inspired sites, so please bear with me if I do something wrong), but have tried to read up on everything that I could with regards to this topic. I have the same problem. I have several production sites that are setup according to http://kenneththorman.blogspot.dk/2013/07/using-nginx-to-reverse-proxy-secure.html.

I have downloaded the latest development build (Version 1.99.0-962-g700a474 (v1.99.0-rc1-962-g700a474 from master)), and while I no longer am facing the "can't find cipher suite 0xC02B" I am still not able to decrypt the trafic.

In the SSL debug log I facing quite a lot of entries similar to

http://pastebin.com/FbSBDWtd (tried to paste here, but poor formatting made me move it to pastebin)

I did read http://wiki.wireshark.org/SSL, but was not able to pinpoint anything. I guess it might be obvious for someone in the know, but currently I am not making any headway. Thank you in advance.

(21 Jul '14, 13:16) kenneththorman
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×165

question asked: 17 May '14, 09:29

question was seen: 4,343 times

last updated: 21 Jul '14, 13:56

p​o​w​e​r​e​d by O​S​Q​A