Decode TLS Traffic

Question

Trying to decode a TLS packet capture and it isn't working. Can someone point me to what is going wrong. First part of ssl debug file is below.

Wireshark SSL debug log

ssl_association_remove removing TCP 443 - http handle 0000000004650E80 Private key imported: KeyID 9e:a7:11:d1:92:19:ab:42:ba:4b:e0:44:aa:a2:f3:5c:... ssl_load_key: swapping p and q parameters and recomputing u ssl_init IPv4 addr '10.1.16.129' (10.1.16.129) port '443' filename 'C:\SoftwareLib\Putty\serverprivkey.pem' password(only for p12 file) '' ssl_init private key file C:\SoftwareLib\Putty\serverprivkey.pem successfully loaded. association_add TCP port 443 protocol http handle 0000000004650E80 dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 00000000081C0720 size 712 association_find: TCP port 38423 found 0000000000000000 packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 216 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 211, ssl state 0x00 association_find: TCP port 38423 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 207 bytes, remaining 216 packet_from_server: is from server - FALSE ssl_find_private_key server 10.1.16.129:443 ssl_find_private_key: testing 1 keys dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #6 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 86 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 81, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session trying to use SSL keylog in failed to open SSL keylog cannot find master secret in keylog file either dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material dissect_ssl enter frame #7 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 6 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER dissect_ssl enter frame #8 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 203 offset 5 length 8445086 bytes, remaining 37 dissect_ssl enter frame #12 (first time) packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 76 offset 11 length 4320174 bytes, remaining 43 dissect_ssl enter frame #13 (first time) packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 255 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 250, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 38423 found 0000000000000000 association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #14 (first time) packet_from_server: is from server - FALSE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 648 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 643, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 38423 found 0000000000000000 association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #16 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1263 need_desegmentation: offset = 0, reported_length_remaining = 1263 dissect_ssl enter frame #25 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #25 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1083 need_desegmentation: offset = 0, reported_length_remaining = 1083 dissect_ssl enter frame #37 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #38 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1263 need_desegmentation: offset = 0, reported_length_remaining = 1263 dissect_ssl enter frame #49 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #49 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1083 need_desegmentation: offset = 0, reported_length_remaining = 1083 dissect_ssl enter frame #61 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #61 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 903 need_desegmentation: offset = 0, reported_length_remaining = 903 dissect_ssl enter frame #73 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #73 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 723 need_desegmentation: offset = 0, reported_length_remaining = 723 dissect_ssl enter frame #80 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #85 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1263 need_desegmentation: offset = 0, reported_length_remaining = 1263 dissect_ssl enter frame #92 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210 dissect_ssl enter frame #92 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 1083 need_desegmentation: offset = 0, reported_length_remaining = 1083 dissect_ssl enter frame #107 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 9021 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 9016, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 443 found 0000000004C7B210

dissect_ssl enter frame #107 (first time) packet_from_server: is from server - TRUE conversation = 0000000005731058, ssl_session = 00000000081C0720 record: offset = 0, reported_length_remaining = 903 need_desegmentation: offset = 0, reported_length_remaining = 903

Answer 1

ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57)

That line is an indicator that you have loaded the wrong private key for the TLS session. Please double check that.

Regards
Kurt