Hi, I have read answers on this forum and i am trying to decrypt a tls capture with sessionID length 0.But I am running into some trouble in making wireshark read my master key.So please help!! I have master key from openssl and this is what my premaster_ras.log file looks like RSA Session-ID: Master-Key:7e94966b1345e253c4d2dc4d738d33dec03d8149181ab6630891cfe08c2436cd8ed97cdbcac33b9efc81c3feef415ae0 and this is my Debug file. I put a print in my code and printed the SSL master key and sessionID koundi-Session ID is 0000000000000000000000000000000000000000000000000000000000000000 koundi-master key is 7e94966b1345e253c4d2dc4d738d33dec03d8149181ab6630891cfe08c2436cd8ed97cdbcac33b9efc81c3feef415ae0 session_id_length is :0 master_key_length is :48 Thanks!! asked 18 Feb '15, 06:09 koundi |
One Answer:
Mapping from a Session ID to a master secret can only be resolved if the Server Hello message contains such a Session ID. In your case it is empty:
Solution: find the Client Hello message and copy its Client Random (32-bytes, 64 hex chars). Then create the SSL keylog file containing:
Reload the capture file and you are set. answered 18 Feb '15, 09:30 Lekensteyn |
Thanks so much for replying, I did try giving the Client random yesterday but i gave only 16 hex chars ..So it did not work today i gave it 64 hex chars and it shows in my debug file that master secret found and it does decrypt the frames.But in the UI wireshark packets are still encrypted tls.Also I am NOT trying to decrypt https ..so can u help me with that too:)
Thanks :)