This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark v2.0.1 GnuTLS 3.2.15 PEM Format passphraseless private key added to SSL protocol. Has been successfully loaded.

SSL RSA keys list preferences: IP Address=10.139.233.26 Port=10080 Protocol=http

Have ensured, Client Hello/Server Hello captured.

Have filtered on tcp stream and exported, SSL debug log following:

Wireshark SSL debug log

Wireshark version: 2.0.1 (v2.0.1-0-g59ea380 from master-2.0)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2

ssl_association_remove removing TCP 10080 - http handle 00000000088B4800
KeyID[20]:
| ae 4d dc ef 87 7a 05 e1 30 4a 1b 59 1b d8 20 10 |.M...z..0J.Y.. .|
| 45 ba 69 7a                                     |E.iz            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file D:/temp/nopassphrase.key successfully loaded.
ssl_init port '10080' filename 'D:/temp/nopassphrase.key' password(only for p12 file) ''
association_add TCP port 10080 protocol http handle 00000000088B4800

dissect_ssl enter frame #4 (first time)
association_find: TCP port 47180 found 0000000000000000
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 182
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 177
decrypt_ssl3_record: app_data len 177, ssl state 0x00
association_find: TCP port 47180 found 0000000000000000
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 173 bytes, remaining 182 
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 1448
dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 81
decrypt_ssl3_record: app_data len 81, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_dissect_hnd_srv_hello found CIPHER 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 -> state 0x17
  record: offset = 86, reported_length_remaining = 1362
  need_desegmentation: offset = 86, reported_length_remaining = 1362

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 2682
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 2677
decrypt_ssl3_record: app_data len 2677, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2673 bytes, remaining 2682 
lookup(KeyID)[20]:
| ae 4d dc ef 87 7a 05 e1 30 4a 1b 59 1b d8 20 10 |.M...z..0J.Y.. .|
| 45 ba 69 7a                                     |E.iz            |
ssl_find_private_key_by_pubkey: lookup result: 000000000942BA40

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 42
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 37
decrypt_ssl3_record: app_data len 37, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 13 offset 5 length 29 bytes, remaining 42 
dissect_ssl3_handshake iteration 0 type 14 offset 38 length 0 bytes, remaining 42

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 1792
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 1787
decrypt_ssl3_record: app_data len 1787, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1521 bytes, remaining 1792 
lookup(KeyID)[20]:
| 18 23 aa a8 6d 41 5c 54 28 97 25 25 6c 96 44 f0 |.#..mA\T(.%%l.D.|
| 99 43 cc 22                                     |.C."            |
ssl_find_private_key_by_pubkey: lookup result: 0000000000000000
dissect_ssl3_handshake iteration 0 type 16 offset 1530 length 258 bytes, remaining 1792 
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 217
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 269
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 264
decrypt_ssl3_record: app_data len 264, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 15 offset 5 length 260 bytes, remaining 269

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x217
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT

dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 80
decrypt_ssl3_record: app_data len 80, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 250 offset 5 length 11866047 bytes, remaining 85

dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 91
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Not using Session resumption
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x217
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 6, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 80
decrypt_ssl3_record: app_data len 80, ssl state 0x217
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 11 length 1731724 bytes, remaining 91

dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 800, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 47180 found 0000000000000000
association_find: TCP port 10080 found 000000000A538FD0

dissect_ssl enter frame #20 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 885
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 880, ssl state 0x217
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 384, ssl state 0x217
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #23 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 197
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 192, ssl state 0x217
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #24 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 64, ssl state 0x217
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #25 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 000000000B181980
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 64, ssl state 0x217
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 182
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 173 bytes, remaining 182

dissect_ssl enter frame #6 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1448
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 
  record: offset = 86, reported_length_remaining = 1362
  need_desegmentation: offset = 86, reported_length_remaining = 1362

dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 2682
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2673 bytes, remaining 2682

dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 42
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 13 offset 5 length 29 bytes, remaining 42 
dissect_ssl3_handshake iteration 0 type 14 offset 38 length 0 bytes, remaining 42

dissect_ssl enter frame #10 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1792
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1521 bytes, remaining 1792 
dissect_ssl3_handshake iteration 0 type 16 offset 1530 length 258 bytes, remaining 1792

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 269
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 15 offset 5 length 260 bytes, remaining 269

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec

dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 250 offset 5 length 11866047 bytes, remaining 85

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 91
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 6, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 11 length 1731724 bytes, remaining 91

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 805
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #20 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 885
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #22 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 389
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #23 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 197
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #24 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #25 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000B181160, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 69
dissect_ssl3_record: content_type 23 Application Data

asked 04 Feb '16, 22:24

TwoYrOldGorilla's gravatar image

TwoYrOldGorilla
11115
accept rate: 0%

edited 01 Jun '16, 21:58


You are affected by bug 12042 which is a regression introduced with Wireshark 2.0 and will be fixed in 2.0.2 (which is scheduled for 11 February). The issue occurs when Wireshark 2.0 and 2.0.1 are used to decrypt a SSL capture which contain a Client Certificate (also known as two-way SSL or mutual authentication). As a workaround, you can try to ignore the Client Certificate packet.

Details of analysis:

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - TRUE
...
dissect_ssl3_record: content_type 22 Handshake
...
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2673 bytes, remaining 2682 
lookup(KeyID)[20]:
| ae 4d dc ef 87 7a 05 e1 30 4a 1b 59 1b d8 20 10 |.M...z..0J.Y.. .|
| 45 ba 69 7a                                     |E.iz            |
ssl_find_private_key_by_pubkey: lookup result: 000000000942BA40

Type 11 is a Certificate and the private key lookup has succeeded. It should be used unless another certificate is found.

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - FALSE
...
dissect_ssl3_record: content_type 22 Handshake
...
dissect_ssl3_handshake iteration 1 type 11 offset 5 length 1521 bytes, remaining 1792 
lookup(KeyID)[20]:
| 18 23 aa a8 6d 41 5c 54 28 97 25 25 6c 96 44 f0 |.#..mA\T(.%%l.D.|
| 99 43 cc 22                                     |.C."            |
ssl_find_private_key_by_pubkey: lookup result: 0000000000000000

Oops, another Certificate (handshake message type 11), but this time it is not from the server. The client certificate cannot be used for decryption and the key lookup fails and clears the previously found private key.

permanent link

answered 09 Feb '16, 09:21

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×10

question asked: 04 Feb '16, 22:24

question was seen: 3,943 times

last updated: 01 Jun '16, 21:58

p​o​w​e​r​e​d by O​S​Q​A