This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

is the decryption of TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite supported?

0

I'm unable to decrypt any TLS 1.2 traffic if the cipher suite is TLS_RSA_WITH_AES_256_GCM_SHA384. I'm able to decrypt if I change the cipher suite. I'm using wireshark 2.2.6

Wireshark SSL debug log

Wireshark version: 2.2.6 (v2.2.6-0-g32dac6a) GnuTLS version: 3.2.15 Libgcrypt version: 1.6.2

KeyID[20]: | 53 10 1d 8a 77 2e 73 37 e5 6d d9 1b c0 cf 10 dd |S…w.s7.m……| | fe 13 ad ec |…. | ssl_load_key: swapping p and q parameters and recomputing u ssl_init private key file E:/key.pem successfully loaded. ssl_init port '443' filename 'E:/key.pem' password(only for p12 file) '' association_add ssl.port port 443 handle 0000000004B71BC0

dissect_ssl enter frame #4 (first time) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 221 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 216 decrypt_ssl3_record: app_data len 216, ssl state 0x00 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 212 bytes, remaining 221 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #5 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 137 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 5 81 decrypt_ssl3_record: app_data len 81, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 ssl_try_set_version found version 0x0303 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_dissect_hnd_srv_hello found CIPHER 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97 record: offset = 86, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_dissect_change_cipher_spec Session resumption using Session ID ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x97 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't restore master secret using an empty Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 92, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 97 40 decrypt_ssl3_record: app_data len 40, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 97 length 0 bytes, remaining 137 dissect_ssl3_handshake iteration 0 type 0 offset 101 length 1 bytes, remaining 137 dissect_ssl3_handshake iteration 0 type 252 offset 106 length 6788274 bytes, remaining 137

dissect_ssl enter frame #7 (first time) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec ssl_load_keyfile dtls/ssl.keylog_file is not configured! ssl_finalize_decryption state = 0x97 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't restore master secret using an empty Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake Calculating hash with offset 11 40 decrypt_ssl3_record: app_data len 40, ssl state 0x97 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51 dissect_ssl3_handshake iteration 0 type 0 offset 15 length 0 bytes, remaining 51 dissect_ssl3_handshake iteration 0 type 38 offset 19 length 789024 bytes, remaining 51

dissect_ssl enter frame #8 (first time) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1428 need_desegmentation: offset = 0, reported_length_remaining = 1428

dissect_ssl enter frame #9 (first time) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1945 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1940, ssl state 0x97 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #11 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1428 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 488, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 493, reported_length_remaining = 935 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 29, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 527, reported_length_remaining = 901 need_desegmentation: offset = 527, reported_length_remaining = 901

dissect_ssl enter frame #12 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1463 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1458, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #12 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 26, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #14 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1428 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 29, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 34, reported_length_remaining = 1394 need_desegmentation: offset = 34, reported_length_remaining = 1394

dissect_ssl enter frame #16 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 2667 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 2662, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #16 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 155 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 26, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 31, reported_length_remaining = 124 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 29, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 65, reported_length_remaining = 90 need_desegmentation: offset = 65, reported_length_remaining = 90

dissect_ssl enter frame #18 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1261 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1256, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #18 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 257 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 26, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 31, reported_length_remaining = 226 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 28, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 64, reported_length_remaining = 193 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 175, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available record: offset = 244, reported_length_remaining = 13 need_desegmentation: offset = 244, reported_length_remaining = 13

dissect_ssl enter frame #19 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 26, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #19 (first time) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 34 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 29, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #21 (first time) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1428 need_desegmentation: offset = 0, reported_length_remaining = 1428

dissect_ssl enter frame #22 (first time) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 00000000075920D0 record: offset = 0, reported_length_remaining = 1945 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1940, ssl state 0x97 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 221 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 212 bytes, remaining 221

dissect_ssl enter frame #5 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 137 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 record: offset = 86, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 92, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 0 offset 97 length 0 bytes, remaining 137 dissect_ssl3_handshake iteration 0 type 0 offset 101 length 1 bytes, remaining 137 dissect_ssl3_handshake iteration 0 type 252 offset 106 length 6788274 bytes, remaining 137

dissect_ssl enter frame #7 (already visited) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec record: offset = 6, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51 dissect_ssl3_handshake iteration 0 type 0 offset 15 length 0 bytes, remaining 51 dissect_ssl3_handshake iteration 0 type 38 offset 19 length 789024 bytes, remaining 51

dissect_ssl enter frame #9 (already visited) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1945 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #11 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1428 dissect_ssl3_record: content_type 23 Application Data record: offset = 493, reported_length_remaining = 935 dissect_ssl3_record: content_type 23 Application Data record: offset = 527, reported_length_remaining = 901 need_desegmentation: offset = 527, reported_length_remaining = 901

dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1463 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #14 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1428 dissect_ssl3_record: content_type 23 Application Data record: offset = 34, reported_length_remaining = 1394 need_desegmentation: offset = 34, reported_length_remaining = 1394

dissect_ssl enter frame #16 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2667 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #16 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 155 dissect_ssl3_record: content_type 23 Application Data record: offset = 31, reported_length_remaining = 124 dissect_ssl3_record: content_type 23 Application Data record: offset = 65, reported_length_remaining = 90 need_desegmentation: offset = 65, reported_length_remaining = 90

dissect_ssl enter frame #18 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1261 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #18 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 257 dissect_ssl3_record: content_type 23 Application Data record: offset = 31, reported_length_remaining = 226 dissect_ssl3_record: content_type 23 Application Data record: offset = 64, reported_length_remaining = 193 dissect_ssl3_record: content_type 23 Application Data record: offset = 244, reported_length_remaining = 13 need_desegmentation: offset = 244, reported_length_remaining = 13

dissect_ssl enter frame #19 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #19 (already visited) packet_from_server: is from server - TRUE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 34 dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #22 (already visited) packet_from_server: is from server - FALSE conversation = 0000000007591700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1945 dissect_ssl3_record: content_type 23 Application Data

asked 10 May ‘17, 13:26

a5snc's gravatar image

a5snc
11224
accept rate: 0%

edited 12 May ‘17, 08:36

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

I'm not an expert but this item from the log:

ssl_dissect_change_cipher_spec Session resumption using Session ID

makes me think that the SSL session was resumed. As detailed in this question a resumed session can't be decrypted.

answered 12 May '17, 08:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%