Hi there.
I have a strange issue decoding SUPL traffic (i. e. ULP protocol
traffic encrypted with TLS).
As I operate the SUPL server I have the server private key.
I took two snoops on two different frontends (we proxy the traffic
on the frontend to the backend nodes using HAProxy; the SSL
connection is not terminated on HAProxy, but it is transparently
forwarded to the backend and terminated/decrypted there), and the
sessions were handled by two different backend nodes.
The problem is that I can decrypt one snoop (i. e. there are lines
with protocol "ULP" in the dump,) while the other snoop fails to
decrypt (i. e. . I checked to make sure that there is no problem on
the backend node WRT to X.509 setup (Java keystore).
WireShark is set up in a way that in the protocol prefs for SSL I
have in the RSA key list the private key file specified for IP
address "any" and port "7275," and the protocol is "ulp."
I enabled the SSL debug logging, and I noticed the following: For
the trace that can't be decrypted I see the following:
ssl_generate_pre_master_secret: found
SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_decrypt_pre_master_secret: session uses DH (17) key exchange,
which is impossible to decrypt
while for the snoop that can be decrypted I see the
following:
ssl_generate_pre_master_secret: found
SSL_HND_CLIENT_KEY_EXCHG, state 17
pre master encrypted[256]:
and then a key in hex follows.
I have no clue how to further investigate this issue, my only guess
that this is a bug in WireShark.
Any advice?
If it helps I could send the SSL debug logs, but I would remove all
hex dump from them as I know too little about this, and I can't
inadvertently disclose the server private key.
Kind regards,
Ralf
|
