This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

unable to decrypt SIP TLS traffic with Wireshark

0

Hello

I want to see the SIP communication between my server and an endpoint which is on SIP TLS. I have the private key from the server and captured the initial handshake. However I'm not able to decrypt the messages. Is there anything I'm missing? You perhaps spot something in the log which i don't.

dissect_ssl enter frame #28 (first time)
ssl_session_init: initializing ptr 000000000A182FA0 size 712
association_find: TCP port 32941 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 0000000006DE15D8, ssl_session = 000000000A182FA0
  record: offset = 0, reported_length_remaining = 195
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 190, ssl state 0x00
association_find: TCP port 32941 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 186 bytes, remaining 195 
packet_from_server: is from server - FALSE
ssl_find_private_key server 172.19.253.22:5061
ssl_find_private_key: testing 1 keys
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #35 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000006DE15D8, ssl_session = 000000000A182FA0
record: offset = 0, reported_length_remaining = 1448


dissect_ssl enter frame #36 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000006DE15D8, ssl_session = 000000000A182FA0
record: offset = 0, reported_length_remaining = 128


dissect_ssl enter frame #47 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000006DE15D8, ssl_session = 000000000A182FA0
record: offset = 0, reported_length_remaining = 214
dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 150, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 146 bytes, remaining 155
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 11
ssl_generate_pre_master_secret: not enough data to generate key (required state 17)
dissect_ssl3_handshake can't generate pre master secret
record: offset = 155, reported_length_remaining = 59
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 161, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 43 offset 166 length 3990203 bytes, remaining 214


dissect_ssl enter frame #50 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000006DE15D8, ssl_session = 000000000A182FA0
record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER


dissect_ssl enter frame #54 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000006DE15D8, ssl_session = 000000000A182FA0
record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 240 offset 5 length 12105667 bytes, remaining 53

asked 18 Nov ‘15, 08:03

romo's gravatar image

romo
6113
accept rate: 0%

edited 18 Nov ‘15, 08:12

Lekensteyn's gravatar image

Lekensteyn
2.2k3724

Please include the Wireshark version you are using. Is this the full debug log? I don’t see the Server Hello which mentions the cipher suite that is in use. Very likely your client is using a cipher suite with the Diffie-Hellman key exchange. See this post for investigating further.

(18 Nov ‘15, 08:16) Lekensteyn

i use WS version 1.12.8 You can see the full log here: https://sprend.com/download.htm?C=0825d50fef974fb7b1b69b9e39a71224 i’ve been checking the posts with the DHE issue but i couldn’t find similarities to my problem(besides i cannot decrypt it)

(22 Nov ‘15, 23:13) romo

This is the content of the file. Not enough to analyze the problem.

Wireshark SSL debug log


Private key imported: KeyID 08:fd:4e:ed:4b:f7:39:3b:86:90:62:e5:07:97:89:4a:…
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init IPv4 addr '172.19.253.22' (172.19.253.22) port '5061' filename 'C:\Users\E706515\Desktop\key.key' password(only for p12 file) ''
ssl_init private key file C:\Users\E706515\Desktop\key.key successfully loaded.
association_add TCP port 5061 protocol sip handle 0000000005F728D0
(23 Nov ‘15, 00:57) Kurt Knochner ♦
1

Hello Kurt Yes very short indeed. No idea why i only posted this part. Please try here again: https://www.dropbox.com/s/dz3qp35at2fyq90/wslog.txt?dl=0

(23 Nov ‘15, 01:06) romo

One Answer:

2

Your connection is using a Diffie Hellman cipher (0xC02F = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256).

dissect_ssl3_hnd_srv_hello found CIPHER 0xC02F -> state 0x16

That's the reason why you can't decrypt it.

Regards
Kurt

answered 23 Nov '15, 01:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 23 Nov '15, 01:31

Hi Kurt Thanks for clarifying.

(23 Nov '15, 02:44) romo

You're welcome.

(23 Nov '15, 03:00) Kurt Knochner ♦