Can’t decode HTTPS with jSSLKeyLog

Question

I'm debugging a Java application using HTTPS. I exported a pre-master secret file using jSSLKeylog. The file looks like this:

# SSL/TLS secrets log file, generated by jSSLKeyLog
CLIENT_RANDOM 56b5f099ea88a29f1a53b0f7c8586f864d92f3ec1a9d2ef686e659dba350f7df 74c5b828fe52a45056ea5fa6fbb19b76d2197d3d6d09fb0f5f42e73cec0e7ba6cffd51c16677e50edc6003ab19d5aafe
# SSL/TLS secrets log file, generated by jSSLKeyLog
CLIENT_RANDOM 56b5f7556567faa714cae03bdb2fba5e2a773dc46fd1a4cfd943379367dbc728 8ddf0cfcf27a95e15137800c24c2c74a47fcc51edd0585fcb4b97945fce21fb4d3d5201df1654ff0747f9344263c696c
# SSL/TLS secrets log file, generated by jSSLKeyLog
CLIENT_RANDOM 56b5f7f5091f8c3269a3f14298112c180f18adc531a8c210373681197fb427e6 0a5a546e636d1d666fed91565c198fed186a607e674ef8cfe887cdeb0159890e20a32d030a81677e92ac2b675fb62c7c

I load the file into Wireshark, but it cannot decode the SSL stream. In the SSL debug file it gives this error:

trying to use SSL keylog in /home/mero/workspace/bnet/portal/keylog
  checking keylog line: # SSL/TLS secrets log file, generated by jSSLKeyLog
    line does not match
  checking keylog line: CLIENT_RANDOM  56b5f099ea88a29f1a53b0f7c8586f864d92f3ec1a9d2ef686e659dba350f7df   74c5b828fe52a45056ea5fa6fbb19b76d2197d3d6d09fb0f5f42e73cec0e7ba6cffd51c16677e50edc6003ab19d5aafe
    line does not match client random
    line does not match
  checking keylog line: # SSL/TLS secrets log file, generated by jSSLKeyLog
    line does not match
  checking keylog line: CLIENT_RANDOM 56b5f7556567faa714cae03bdb2fba5e2a773dc46fd1a4cfd943379367dbc728 8ddf0cfcf27a95e15137800c24c2c74a47fcc51edd0585fcb4b97945fce21fb4d3d5201df1654ff0747f9344263c696c
    line does not match client random
    line does not match
  checking keylog line: # SSL/TLS secrets log file, generated by jSSLKeyLog
    line does not match
  checking keylog line: CLIENT_RANDOM 56b5f7f5091f8c3269a3f14298112c180f18adc531a8c210373681197fb427e6 0a5a546e636d1d666fed91565c198fed186a607e674ef8cfe887cdeb0159890e20a32d030a81677e92ac2b675fb62c7c
    line does not match

How could I decode this stream? I have access to the client source code, if that helps.

This is the output of wireshark -v

wireshark 1.10.6 (v1.10.6 from master-1.10) Copyright 1998-2014 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GTK+ 3.10.7, with Cairo 1.13.1, with Pango 1.36.1, with GLib 2.39.91, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Feb 25 2014 21:09:53), with AirPcap. Running on Linux 3.13.0-76-generic, with locale en_US.UTF-8, with libpcap version 1.5.3, with libz 1.2.8, GnuTLS 2.12.23, Gcrypt 1.5.3, without AirPcap. Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz

Built using gcc 4.8.2.

Answer 1

Wireshark 1.10.6 is able to decrypt using a SSL keylog file, but that version is picky on the formatting of key log files: lines must be terminated by a LF (\n) instead of a CRLF (\r\n). It appears that jSSLKeyLog is writing CRLFs (see logLine in src/main/java/net/sf/jsslkeylog/LogWriter.java).

To solve your problem, pick any of these solutions:

Patch jSSLKeyLog to write \n instead of \r\n as line separator.
Post-process your SSL key log file, stripping the carriage returns: sed 's/\r//' -i yourfile.txt
Upgrade to Wireshark 1.12 or newer. On Ubuntu 14.04, you can install the Wireshark PPA for this purpose: https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable