Wireshark-users: Re: [Wireshark-users] Strange SSL decode issue (SUPL, ULP)
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 15 Apr 2015 07:59:36 +0200
Hi,

As the debug log says, one backend node does while the other doesn't use a DH
key exchange. I would look carefully at the crypto configuration of both backend
nodes.

Thanks,
Jaap


On 04/14/2015 10:28 PM, Ralf G. R. Bergs wrote:
> Hi there.
> 
> I have a strange issue decoding SUPL traffic (i. e. ULP protocol traffic
> encrypted with TLS).
> 
> As I operate the SUPL server I have the server private key.
> 
> I took two snoops on two different frontends (we proxy the traffic on the
> frontend to the backend nodes using HAProxy; the SSL connection is not
> terminated on HAProxy, but it is transparently forwarded to the backend and
> terminated/decrypted there), and the sessions were handled by two different
> backend nodes.
> 
> The problem is that I can decrypt one snoop (i. e. there are lines with protocol
> "ULP" in the dump,) while the other snoop fails to decrypt (i. e. . I checked to
> make sure that there is no problem on the backend node WRT to X.509 setup (Java
> keystore).
> 
> WireShark is set up in a way that in the protocol prefs for SSL I have in the
> RSA key list the private key file specified for IP address "any" and port
> "7275," and the protocol is "ulp."
> 
> I enabled the SSL debug logging, and I noticed the following: For the trace that
> can't be decrypted I see the following:
>> ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
>> ssl_decrypt_pre_master_secret: session uses DH (17) key exchange, which is
>> impossible to decrypt
> while for the snoop that /can/ be decrypted I see the following:
>> ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
>> pre master encrypted[256]:
> and then a key in hex follows.
> 
> I have no clue how to further investigate this issue, my only guess that this is
> a bug in WireShark.
> 
> Any advice?
> 
> If it helps I could send the SSL debug logs, but I would remove all hex dump
> from them as I know too little about this, and I can't inadvertently disclose
> the server private key.
> 
> Kind regards,
> 
> Ralf
> 
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>