This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have searched the forum and found only one other question with the same error, which was not answered. I am trying to decrypt an SSL connection. It doesn't use DH, so I understand it should be possible to decrypt. The following log shows the error.

Specifically, it appears to be
ssl_generate_pre_master_secret: not enough data to generate key (required state 17)


Wireshark SSL debug log

ssl_association_remove removing TCP 443 - http handle 0x10e060a10
Private key imported: KeyID 7a:68:98:9b:11:ee:eb:07:ac:b8:05:8d:fe:d6:d6:57:...
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '172.16.9.8' (172.16.9.8) port '443' filename '/Users/obeattie/Desktop/key.key' password(only for p12 file) ''
ssl_init private key file /Users/obeattie/Desktop/key.key successfully loaded.
association_add TCP port 443 protocol http handle 0x10e060a10

dissect_ssl enter frame #3 (first time)
ssl_session_init: initializing ptr 0x10bfa6440 size 712
association_find: TCP port 57514 found 0x0
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x10bfa6440
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 124, ssl state 0x00
association_find: TCP port 57514 found 0x0
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129 
packet_from_server: is from server - FALSE
ssl_find_private_key server 172.16.9.8:443
ssl_find_private_key: testing 1 keys
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x10bfa6440
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 11
ssl_generate_pre_master_secret: not enough data to generate key (required state 17)
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x10bfa6440
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 240, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x10bfa6440
  record: offset = 0, reported_length_remaining = 1380
  need_desegmentation: offset = 0, reported_length_remaining = 1380

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x10bfa6440
  record: offset = 0, reported_length_remaining = 1557
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1552, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326

dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 1557
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326

dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 245
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 1557
dissect_ssl3_record: content_type 23 Application Data
association_find: TCP port 57514 found 0x0
association_find: TCP port 443 found 0x1104b0d20

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #3 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 129
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 120 bytes, remaining 129

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0x10ee01058, ssl_session = 0x0
  record: offset = 0, reported_length_remaining = 326
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 
  record: offset = 267, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
  record: offset = 273, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 82 offset 278 length 11871576 bytes, remaining 326

asked 26 Oct '15, 15:01

obeattie's gravatar image

obeattie
1111
accept rate: 0%

there seems to be something wrong with the ssl debug file. Take a look at the frame numbers. They are jumping back and forth !?

Can you please do the following:

  • close Wireshark
  • empty the ssl debug file
  • open Wireshark
  • load the pcap file
  • close Wireshark
  • upload the full ssl debug file somewhere
(26 Oct '15, 15:10) Kurt Knochner ♦

@obeattie In addition, please add the version of Wireshark that you are using.

(29 Oct '15, 02:59) Lekensteyn

Offtopic, @Lekensteyn, could the ssl debug log have the version added to the first entry?

(29 Oct '15, 05:09) grahamb ♦

Offtopic #2 :-)), @Lekensteyn, could please add some code to the SSL dissector to detect ciphers with Diffie Hellman and add a warning/info message to the ssl debug log?

(29 Oct '15, 07:14) Kurt Knochner ♦

Offtopic #3 :-)), @Lekensteyn, and some code to detect SSL session resume or TLS tickets with missing key exchange plus an info/warning in the ssl debug log?

(29 Oct '15, 07:16) Kurt Knochner ♦

Offtopic replies: I was thinking about adding the string representation of the cipher suites and WS version, but adding hints is probably a good idea! Patch is in being baked.

(29 Oct '15, 07:16) Lekensteyn

@Kurt Knochner You do not seem to have a Gerrit account, is that correct? The patch for versions is at https://code.wireshark.org/review/11403, I will look into adding expert info for session resumption.

(29 Oct '15, 08:23) Lekensteyn

@Lekensteyn: No, I don't have a Gerrit account yet as I don't have the feeling I have something useful to cotribute to the code ;-)

The patch for versions is at https://code.wireshark.org/review/11403,

I'll have a look, but I'm sure you know much better than me what you are doing ;-)

I will look into adding expert info for session resumption.

Thanks!

(30 Oct '15, 08:22) Kurt Knochner ♦

@Kurt Knochner I have added the session resumption hint in https://code.wireshark.org/review/11583. I have doubt on adding another warning for DH suites though, the user can easily learn this by looking at the handshake. And if an expert info field is added to the ClientKeyExchange packet, then it will not be visible in other packets (like Application data). Adding it to every Application Data message introduces some noise. So in the end I think it is better to educate the user on dissecting packets. Thoughts?

(05 Nov '15, 14:25) Lekensteyn
showing 5 of 9 show 4 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×193
×165

question asked: 26 Oct '15, 15:01

question was seen: 1,549 times

last updated: 05 Nov '15, 14:25

p​o​w​e​r​e​d by O​S​Q​A