Wireshark SSL debug log
ssl_association_remove removing TCP 443 - http handle 0x10e060a10
Private key imported: KeyID 7a:68:98:9b:11:ee:eb:07:ac:b8:05:8d:fe:d6:d6:57:…
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '172.16.9.8' (172.16.9.8) port '443' filename '/Users/obeattie/Desktop/key.key' password(only for p12 file) ''
ssl_init private key file /Users/obeattie/Desktop/key.key successfully loaded.
association_add TCP port 443 protocol http handle 0x10e060a10
dissect_ssl enter frame #3 (first time)
ssl_session_init: initializing ptr 0x10bfa6440 size 712
association_find: TCP port 57514 found 0x0
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x10bfa6440
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 124, ssl state 0x00
association_find: TCP port 57514 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
packet_from_server: is from server - FALSE
ssl_find_private_key server 172.16.9.8:443
ssl_find_private_key: testing 1 keys
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x10bfa6440
record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 11
ssl_generate_pre_master_secret: not enough data to generate key (required state 17)
dissect_ssl3_handshake can't generate pre master secret
record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326
dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x10bfa6440
record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 240, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20
dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x10bfa6440
record: offset = 0, reported_length_remaining = 1380
need_desegmentation: offset = 0, reported_length_remaining = 1380
dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x10bfa6440
record: offset = 0, reported_length_remaining = 1557
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1552, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326
dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20
dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 1557
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326
dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20
dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 1557
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129
dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - FALSE
conversation = 0x10ee01058, ssl_session = 0x0
record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326
there seems to be something wrong with the ssl debug file. Take a look at the frame numbers. They are jumping back and forth !?
Can you please do the following:
@obeattie In addition, please add the version of Wireshark that you are using.
Offtopic, @Lekensteyn, could the ssl debug log have the version added to the first entry?
Offtopic #2 :-)), @Lekensteyn, could please add some code to the SSL dissector to detect ciphers with Diffie Hellman and add a warning/info message to the ssl debug log?
Offtopic #3 :-)), @Lekensteyn, and some code to detect SSL session resume or TLS tickets with missing key exchange plus an info/warning in the ssl debug log?
Offtopic replies: I was thinking about adding the string representation of the cipher suites and WS version, but adding hints is probably a good idea! Patch is in being baked.
@Kurt Knochner You do not seem to have a Gerrit account, is that correct? The patch for versions is at https://code.wireshark.org/review/11403, I will look into adding expert info for session resumption.
@Lekensteyn: No, I don’t have a Gerrit account yet as I don’t have the feeling I have something useful to cotribute to the code ;-)
I’ll have a look, but I’m sure you know much better than me what you are doing ;-)
Thanks!
@Kurt Knochner I have added the session resumption hint in https://code.wireshark.org/review/11583. I have doubt on adding another warning for DH suites though, the user can easily learn this by looking at the handshake. And if an expert info field is added to the ClientKeyExchange packet, then it will not be visible in other packets (like Application data). Adding it to every Application Data message introduces some noise. So in the end I think it is better to educate the user on dissecting packets. Thoughts?