This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

is the decryption of TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite supported?

0

I'm unable to decrypt any TLS 1.2 traffic if the cipher suite is TLS_RSA_WITH_AES_256_GCM_SHA384. I'm able to decrypt if I change the cipher suite. I'm using wireshark 2.2.6

Wireshark SSL debug log

Wireshark version: 2.2.6 (v2.2.6-0-g32dac6a)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2


KeyID[20]:
| 53 10 1d 8a 77 2e 73 37 e5 6d d9 1b c0 cf 10 dd |S…w.s7.m……|
| fe 13 ad ec                                     |….            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file E:/key.pem successfully loaded.
ssl_init port '443' filename 'E:/key.pem' password(only for p12 file) ''
association_add ssl.port port 443 handle 0000000004B71BC0


dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 221
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 216
decrypt_ssl3_record: app_data len 216, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 212 bytes, remaining 221
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01


dissect_ssl enter frame #5 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 137
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 81
decrypt_ssl3_record: app_data len 81, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
ssl_try_set_version found version 0x0303 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_dissect_hnd_srv_hello found CIPHER 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
record: offset = 86, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Session resumption using Session ID
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
record: offset = 92, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 97 40
decrypt_ssl3_record: app_data len 40, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 0 offset 97 length 0 bytes, remaining 137
dissect_ssl3_handshake iteration 0 type 0 offset 101 length 1 bytes, remaining 137
dissect_ssl3_handshake iteration 0 type 252 offset 106 length 6788274 bytes, remaining 137


dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 6, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 40
decrypt_ssl3_record: app_data len 40, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51
dissect_ssl3_handshake iteration 0 type 0 offset 15 length 0 bytes, remaining 51
dissect_ssl3_handshake iteration 0 type 38 offset 19 length 789024 bytes, remaining 51


dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1428
need_desegmentation: offset = 0, reported_length_remaining = 1428


dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1940, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #11 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 488, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 493, reported_length_remaining = 935
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 527, reported_length_remaining = 901
need_desegmentation: offset = 527, reported_length_remaining = 901


dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1463
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1458, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 34, reported_length_remaining = 1394
need_desegmentation: offset = 34, reported_length_remaining = 1394


dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 2667
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 2662, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 155
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 31, reported_length_remaining = 124
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 65, reported_length_remaining = 90
need_desegmentation: offset = 65, reported_length_remaining = 90


dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1261
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1256, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 257
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 31, reported_length_remaining = 226
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 28, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 64, reported_length_remaining = 193
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 175, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
record: offset = 244, reported_length_remaining = 13
need_desegmentation: offset = 244, reported_length_remaining = 13


dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 34
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #21 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1428
need_desegmentation: offset = 0, reported_length_remaining = 1428


dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 00000000075920D0
record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1940, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available


dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 221
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 212 bytes, remaining 221


dissect_ssl enter frame #5 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 137
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
record: offset = 86, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 92, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 0 offset 97 length 0 bytes, remaining 137
dissect_ssl3_handshake iteration 0 type 0 offset 101 length 1 bytes, remaining 137
dissect_ssl3_handshake iteration 0 type 252 offset 106 length 6788274 bytes, remaining 137


dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
record: offset = 6, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51
dissect_ssl3_handshake iteration 0 type 0 offset 15 length 0 bytes, remaining 51
dissect_ssl3_handshake iteration 0 type 38 offset 19 length 789024 bytes, remaining 51


dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #11 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
record: offset = 493, reported_length_remaining = 935
dissect_ssl3_record: content_type 23 Application Data
record: offset = 527, reported_length_remaining = 901
need_desegmentation: offset = 527, reported_length_remaining = 901


dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1463
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
record: offset = 34, reported_length_remaining = 1394
need_desegmentation: offset = 34, reported_length_remaining = 1394


dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 2667
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 155
dissect_ssl3_record: content_type 23 Application Data
record: offset = 31, reported_length_remaining = 124
dissect_ssl3_record: content_type 23 Application Data
record: offset = 65, reported_length_remaining = 90
need_desegmentation: offset = 65, reported_length_remaining = 90


dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1261
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 257
dissect_ssl3_record: content_type 23 Application Data
record: offset = 31, reported_length_remaining = 226
dissect_ssl3_record: content_type 23 Application Data
record: offset = 64, reported_length_remaining = 193
dissect_ssl3_record: content_type 23 Application Data
record: offset = 244, reported_length_remaining = 13
need_desegmentation: offset = 244, reported_length_remaining = 13


dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 34
dissect_ssl3_record: content_type 23 Application Data


dissect_ssl enter frame #22 (already visited)
packet_from_server: is from server - FALSE
conversation = 0000000007591700, ssl_session = 0000000000000000
record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data

asked 10 May ‘17, 13:26

a5snc's gravatar image

a5snc
11224
accept rate: 0%

edited 12 May ‘17, 08:36

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

I'm not an expert but this item from the log:

ssl_dissect_change_cipher_spec Session resumption using Session ID

makes me think that the SSL session was resumed. As detailed in this question a resumed session can't be decrypted.

answered 12 May '17, 08:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%