This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is decoder decrypt_ssl3_record: no decoder available

0

Hello Team, Can someone help me to understand why we can't decrypt SSL communication? This is capture on windows 2008 web server. One thing that stands out from trace are the following: no decoder available

decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

Any comment or feedback appreciated. Thank u

Wireshark SSL debug log :

Wireshark version: 2.2.5 (v2.2.5-0-g440fd4d)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2

KeyID[20]: | 4f 53 67 9a 82 f5 a6 b7 af a1 84 b1 d7 0b b9 d8 |OSg………….| | d5 c9 b3 9f |…. | ssl_load_key: swapping p and q parameters and recomputing u ssl_init private key file F:/openssl/wildccf2018.ukey successfully loaded. ssl_init port '443' filename 'F:/openssl/wildccf2018.ukey' password(only for p12 file) '' association_add ssl.port port 443 handle 00000000047F5C60

dissect_ssl enter frame #477 (first time) packet_from_server: is from server - FALSE conversation = 00000000073DDB10, ssl_session = 00000000073DE080 record: offset = 0, reported_length_remaining = 741 ssl_try_set_version found version 0x0301 -> state 0x10 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 736, ssl state 0x10 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #478 (first time) packet_from_server: is from server - FALSE conversation = 00000000073DDB10, ssl_session = 00000000073DE080 record: offset = 0, reported_length_remaining = 101 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 96, ssl state 0x10 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #480 (first time) packet_from_server: is from server - TRUE conversation = 00000000073DDB10, ssl_session = 00000000073DE080 record: offset = 0, reported_length_remaining = 5269 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 5264, ssl state 0x10 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #2037 (first time) packet_from_server: is from server - FALSE conversation = 00000000074873F0, ssl_session = 0000000007487DC0 record: offset = 0, reported_length_remaining = 169 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 164 decrypt_ssl3_record: app_data len 164, ssl state 0x00 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 160 bytes, remaining 169 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #2038 (first time) packet_from_server: is from server - TRUE conversation = 00000000074873F0, ssl_session = 0000000007487DC0 record: offset = 0, reported_length_remaining = 2920 need_desegmentation: offset = 0, reported_length_remaining = 2920

dissect_ssl enter frame #2040 (first time) packet_from_server: is from server - TRUE conversation = 00000000074873F0, ssl_session = 0000000007487DC0 record: offset = 0, reported_length_remaining = 4766 ssl_try_set_version found version 0x0301 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 4761 decrypt_ssl3_record: app_data len 4761, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes, remaining 4766 ssl_try_set_version found version 0x0301 -> state 0x11 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_dissect_hnd_srv_hello found CIPHER 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -> state 0x17 dissect_ssl3_handshake iteration 0 type 11 offset 90 length 2552 bytes, remaining 4766 lookup(KeyID)[20]: | 4f 53 67 9a 82 f5 a6 b7 af a1 84 b1 d7 0b b9 d8 |OSg………….| | d5 c9 b3 9f |…. | ssl_find_private_key_by_pubkey: lookup result: 00000000056ACBA0 dissect_ssl3_handshake iteration 0 type 22 offset 2646 length 1781 bytes, remaining 4766 dissect_ssl3_handshake iteration 0 type 12 offset 4431 length 327 bytes, remaining 4766 dissect_ssl3_handshake iteration 0 type 14 offset 4762 length 0 bytes, remaining 4766

dissect_ssl enter frame #2046 (first time) packet_from_server: is from server - FALSE conversation = 00000000074873F0, ssl_session = 0000000007487DC0 record: offset = 0, reported_length_remaining = 134 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 70 decrypt_ssl3_record: app_data len 70, ssl state 0x217 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 217 ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) and cannot be decrypted using a RSA private key file. ssl_generate_pre_master_secret: can't decrypt pre-master secret ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret dissect_ssl3_handshake can't generate pre master secret record: offset = 75, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x217 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 81, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 86 48 decrypt_ssl3_record: app_data len 48, ssl state 0x217 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 152 offset 86 length 8466910 bytes, remaining 134

dissect_ssl enter frame #2047 (first time) packet_from_server: is from server - TRUE conversation = 00000000074873F0, ssl_session = 0000000007487DC0 record: offset = 0, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_dissect_change_cipher_spec Not using Session resumption ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x217 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 11 48 decrypt_ssl3_record: app_data len 48, ssl state 0x217 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 199 offset 11 length 3439322 bytes, remaining 59

dissect_ssl enter frame #2037 (already visited) packet_from_server: is from server - FALSE conversation = 00000000074873F0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 169 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 160 bytes, remaining 169

dissect_ssl enter frame #2040 (already visited) packet_from_server: is from server - TRUE conversation = 00000000074873F0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 4766 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes, remaining 4766 dissect_ssl3_handshake iteration 0 type 11 offset 90 length 2552 bytes, remaining 4766 dissect_ssl3_handshake iteration 0 type 22 offset 2646 length 1781 bytes, remaining 4766 dissect_ssl3_handshake iteration 0 type 12 offset 4431 length 327 bytes, remaining 4766 dissect_ssl3_handshake iteration 0 type 14 offset 4762 length 0 bytes, remaining 4766

dissect_ssl enter frame #2046 (already visited) packet_from_server: is from server - FALSE conversation = 00000000074873F0, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 134 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 record: offset = 75, reported_length_remaining = 59 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 81, reported_length_remaining = 53 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 152 offset 86 length 8466910 bytes, remaining 134

asked 16 Mar ‘17, 08:05

pozzccf's gravatar image

pozzccf
6112
accept rate: 0%

edited 16 Mar ‘17, 08:28

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

From your SSL debug log:

ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange (cipher suite 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) and cannot be decrypted using a RSA private key file.

As per the SSL Wiki page, an SSL session that uses a DH key exchange can't be decrypted using the RSA private key file. Instead you have to persuade the client to give up the pre-master secret and then configure Wireshark to use that (SSL preferences, (Pre)-Master-Secret log filename).

answered 16 Mar '17, 08:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 16 Mar '17, 08:39