Wireshark-bugs: [Wireshark-bugs] [Bug 6594] New: Failure to decrypt some SSL streams
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6594
Summary: Failure to decrypt some SSL streams
Product: Wireshark
Version: 1.6.3
Platform: x86
OS/Version: Windows 7
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: mcclown@xxxxxxxxx
Created an attachment (id=7429)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7429)
A capture with ssl decryption failing.
Build Information:
Version 1.6.3 (SVN Rev 39702 from /trunk-1.6)
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Nov
1 2011), with AirPcap.
Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.
Built using Microsoft Visual C++ 9.0 build 21022
--
Hi,
I've been looking a collection of SSL sites with Wireshark and a debug build of
Firefox that dumps the SSL pre-master secrets so that I can use them to decrypt
the SSL traffic. Wireshark now supports working with these dumps since the
patch in #4349 was applied. As part of this work I've noticed a few bugs or
missing features in wiresharks SSL decryption functionality. I've opened this
issue to track one of them.
I've attached two captures where there are some SSL streams that Wireshark
completely failed to decrypt. These captures were run on a completely new
machine that had just been built, so there shouldn't be any problems with
session resumption or anything like that. The simplest way to open up these
captures with the key file is to call Wireshark from the command line like
this:
wireshark.exe -o ssl.keylog_file:"<path to keyfile>" <path to pcap>
>From looking at the captures these differences stick out from my other
captures:
- they both use TLS_RSA_WITH_CAMELLIA_256_CBC_SHA as their cypher suite, I
haven't noticed any other captures using this but I haven't done a conclusive
search through them.
- 'Server Hello', 'Certificate' and 'Server Hello Done' are all in the one
packet. In the other ~20 captures I've looked at 'Server Hello' was in it's own
packet.
- SSL handshake 'Finished' messages from both the client and the server aren't
being decrypted. They're showing up as 'Encrypted Handshake Message' instead.
In the ssl debug file I get the following error for the first of these packets:
ssl_generate_keyring_material not enough data to generate key (0x53 required
0x37 or 0x57)
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.