Wireshark mailing list archives
Strange SSL decode issue (SUPL, ULP)
From: "Ralf G. R. Bergs" <Ralf+WireShark () bergs biz>
Date: Tue, 14 Apr 2015 22:28:20 +0200
Hi there. I have a strange issue decoding SUPL traffic (i. e. ULP protocol traffic encrypted with TLS). As I operate the SUPL server I have the server private key. I took two snoops on two different frontends (we proxy the traffic on the frontend to the backend nodes using HAProxy; the SSL connection is not terminated on HAProxy, but it is transparently forwarded to the backend and terminated/decrypted there), and the sessions were handled by two different backend nodes. The problem is that I can decrypt one snoop (i. e. there are lines with protocol "ULP" in the dump,) while the other snoop fails to decrypt (i. e. . I checked to make sure that there is no problem on the backend node WRT to X.509 setup (Java keystore). WireShark is set up in a way that in the protocol prefs for SSL I have in the RSA key list the private key file specified for IP address "any" and port "7275," and the protocol is "ulp." I enabled the SSL debug logging, and I noticed the following: For the trace that can't be decrypted I see the following:
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_decrypt_pre_master_secret: session uses DH (17) key exchange, which is impossible to decrypt
while for the snoop that /can/ be decrypted I see the following:
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 pre master encrypted[256]:
and then a key in hex follows. I have no clue how to further investigate this issue, my only guess that this is a bug in WireShark. Any advice? If it helps I could send the SSL debug logs, but I would remove all hex dump from them as I know too little about this, and I can't inadvertently disclose the server private key. Kind regards, Ralf
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 16)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 17)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 27)
- Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 28)
- Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)