This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm unable to decrypt any TLS 1.2 traffic if the cipher suite is TLS_RSA_WITH_AES_256_GCM_SHA384. I'm able to decrypt if I change the cipher suite. I'm using wireshark 2.2.6

Wireshark SSL debug log

Wireshark version: 2.2.6 (v2.2.6-0-g32dac6a)
GnuTLS version:    3.2.15
Libgcrypt version: 1.6.2

KeyID[20]:
| 53 10 1d 8a 77 2e 73 37 e5 6d d9 1b c0 cf 10 dd |S...w.s7.m......|
| fe 13 ad ec                                     |....            |
ssl_load_key: swapping p and q parameters and recomputing u
ssl_init private key file E:/key.pem successfully loaded.
ssl_init port '443' filename 'E:/key.pem' password(only for p12 file) ''
association_add ssl.port port 443 handle 0000000004B71BC0

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 221
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 216
decrypt_ssl3_record: app_data len 216, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 212 bytes, remaining 221 
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #5 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 137
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 5 81
decrypt_ssl3_record: app_data len 81, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 
ssl_try_set_version found version 0x0303 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_dissect_hnd_srv_hello found CIPHER 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384 -> state 0x97
  record: offset = 86, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_dissect_change_cipher_spec Session resumption using Session ID
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 92, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 97 40
decrypt_ssl3_record: app_data len 40, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 0 offset 97 length 0 bytes, remaining 137 
dissect_ssl3_handshake iteration 0 type 0 offset 101 length 1 bytes, remaining 137 
dissect_ssl3_handshake iteration 0 type 252 offset 106 length 6788274 bytes, remaining 137

dissect_ssl enter frame #7 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 6, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
Calculating hash with offset 11 40
decrypt_ssl3_record: app_data len 40, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51 
dissect_ssl3_handshake iteration 0 type 0 offset 15 length 0 bytes, remaining 51 
dissect_ssl3_handshake iteration 0 type 38 offset 19 length 789024 bytes, remaining 51

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1428
  need_desegmentation: offset = 0, reported_length_remaining = 1428

dissect_ssl enter frame #9 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1940, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #11 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 488, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 493, reported_length_remaining = 935
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 527, reported_length_remaining = 901
  need_desegmentation: offset = 527, reported_length_remaining = 901

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1463
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1458, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #14 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 34, reported_length_remaining = 1394
  need_desegmentation: offset = 34, reported_length_remaining = 1394

dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 2667
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 2662, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #16 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 155
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 31, reported_length_remaining = 124
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 65, reported_length_remaining = 90
  need_desegmentation: offset = 65, reported_length_remaining = 90

dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1261
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1256, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #18 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 257
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 31, reported_length_remaining = 226
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 28, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 64, reported_length_remaining = 193
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 175, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 244, reported_length_remaining = 13
  need_desegmentation: offset = 244, reported_length_remaining = 13

dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 26, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #19 (first time)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 34
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 29, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #21 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1428
  need_desegmentation: offset = 0, reported_length_remaining = 1428

dissect_ssl enter frame #22 (first time)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 00000000075920D0
  record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 1940, ssl state 0x97
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #4 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 221
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 212 bytes, remaining 221

dissect_ssl enter frame #5 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 137
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86 
  record: offset = 86, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 92, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 0 offset 97 length 0 bytes, remaining 137 
dissect_ssl3_handshake iteration 0 type 0 offset 101 length 1 bytes, remaining 137 
dissect_ssl3_handshake iteration 0 type 252 offset 106 length 6788274 bytes, remaining 137

dissect_ssl enter frame #7 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 51
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 6, reported_length_remaining = 45
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 0 offset 11 length 0 bytes, remaining 51 
dissect_ssl3_handshake iteration 0 type 0 offset 15 length 0 bytes, remaining 51 
dissect_ssl3_handshake iteration 0 type 38 offset 19 length 789024 bytes, remaining 51

dissect_ssl enter frame #9 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #11 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 493, reported_length_remaining = 935
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 527, reported_length_remaining = 901
  need_desegmentation: offset = 527, reported_length_remaining = 901

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1463
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #12 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #14 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1428
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 34, reported_length_remaining = 1394
  need_desegmentation: offset = 34, reported_length_remaining = 1394

dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 2667
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #16 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 155
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 31, reported_length_remaining = 124
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 65, reported_length_remaining = 90
  need_desegmentation: offset = 65, reported_length_remaining = 90

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1261
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #18 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 257
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 31, reported_length_remaining = 226
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 64, reported_length_remaining = 193
dissect_ssl3_record: content_type 23 Application Data
  record: offset = 244, reported_length_remaining = 13
  need_desegmentation: offset = 244, reported_length_remaining = 13

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 31
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #19 (already visited)
packet_from_server: is from server - TRUE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 34
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #22 (already visited)
packet_from_server: is from server - FALSE
  conversation = 0000000007591700, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1945
dissect_ssl3_record: content_type 23 Application Data

asked 10 May '17, 13:26

a5snc's gravatar image

a5snc
11224
accept rate: 0%

edited 12 May '17, 08:36

grahamb's gravatar image

grahamb ♦
19.8k330206


I'm not an expert but this item from the log:

ssl_dissect_change_cipher_spec Session resumption using Session ID

makes me think that the SSL session was resumed. As detailed in this question a resumed session can't be decrypted.

permanent link

answered 12 May '17, 08:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×165
×56
×7
×4

question asked: 10 May '17, 13:26

question was seen: 1,460 times

last updated: 12 May '17, 08:41

p​o​w​e​r​e​d by O​S​Q​A