Wireshark mailing list archives

Strange SSL decode issue (SUPL, ULP)

From: "Ralf G. R. Bergs" <Ralf+WireShark () bergs biz>
Date: Tue, 14 Apr 2015 22:28:20 +0200

Hi there.

I have a strange issue decoding SUPL traffic (i. e. ULP protocol traffic
encrypted with TLS).

As I operate the SUPL server I have the server private key.

I took two snoops on two different frontends (we proxy the traffic on
the frontend to the backend nodes using HAProxy; the SSL connection is
not terminated on HAProxy, but it is transparently forwarded to the
backend and terminated/decrypted there), and the sessions were handled
by two different backend nodes.

The problem is that I can decrypt one snoop (i. e. there are lines with
protocol "ULP" in the dump,) while the other snoop fails to decrypt (i.
e. . I checked to make sure that there is no problem on the backend node
WRT to X.509 setup (Java keystore).

WireShark is set up in a way that in the protocol prefs for SSL I have
in the RSA key list the private key file specified for IP address "any"
and port "7275," and the protocol is "ulp."

I enabled the SSL debug logging, and I noticed the following: For the
trace that can't be decrypted I see the following:

ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_decrypt_pre_master_secret: session uses DH (17) key exchange,
which is impossible to decrypt

while for the snoop that /can/ be decrypted I see the following:

ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
pre master encrypted[256]:

and then a key in hex follows.

I have no clue how to further investigate this issue, my only guess that
this is a bug in WireShark.

Any advice?

If it helps I could send the SSL debug logs, but I would remove all hex
dump from them as I know too little about this, and I can't
inadvertently disclose the server private key.

Kind regards,

Ralf

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
  - Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
    - Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 16)
    - Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 17)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 27)
  - Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)
    - Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 28)