Wireshark-users: [Wireshark-users] can't get decryption with pre-master secret log to work.
From: sean wang <swang54@xxxxxxxxxxx>
Date: Sun, 18 May 2014 10:12:05 -0700
Hello,

I've been trying to decrypt the ssl traffic on chrome using the pre-master secret log method, here is what I did:

  1. osx, downloaded latest chrome dev version.
  2. defined SSLKEYLOGFILE as a env variable
  3. made sure my wireshark(1.10.7) is gnutls build.

  4. in wireshark, configed the ssl config to point to the exact file, also make sure the file can be read by anyone( chmod 777)

  5. load my page and start capturing.

I can see that:

1.there is content in the keylog file, there are many roles, all like : CLIENT_RANDOM fdf7092065550a275290721dd44565cd77e................

2. there was handshake steps at the beginning

3. there is data flow in ssl

4. tried to 'decode' the packages data as 'ssl'


tried to log ssl message, what I see is:


......

trying to use SSL keylog in /Users/swang/keylog
  checking keylog line: # SSL/TLS secrets log file, generated by NSS
    line does not match


(saw many like like such, based on the log lines in keylog file dumped by chrom dev version)


 cannot find master secret in keylog file either
dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC02B
  record: offset = 99, reported_length_remaining = 1249
  need_desegmentation: offset = 99, reported_length_remaining = 1249



Any suggestions how/what I should look into in the ssl log to get teh root cause?



thanks,