Wireshark mailing list archives
Re: Strange SSL decode issue (SUPL, ULP)
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Wed, 15 Apr 2015 07:59:36 +0200
Hi, As the debug log says, one backend node does while the other doesn't use a DH key exchange. I would look carefully at the crypto configuration of both backend nodes. Thanks, Jaap On 04/14/2015 10:28 PM, Ralf G. R. Bergs wrote:
Hi there. I have a strange issue decoding SUPL traffic (i. e. ULP protocol traffic encrypted with TLS). As I operate the SUPL server I have the server private key. I took two snoops on two different frontends (we proxy the traffic on the frontend to the backend nodes using HAProxy; the SSL connection is not terminated on HAProxy, but it is transparently forwarded to the backend and terminated/decrypted there), and the sessions were handled by two different backend nodes. The problem is that I can decrypt one snoop (i. e. there are lines with protocol "ULP" in the dump,) while the other snoop fails to decrypt (i. e. . I checked to make sure that there is no problem on the backend node WRT to X.509 setup (Java keystore). WireShark is set up in a way that in the protocol prefs for SSL I have in the RSA key list the private key file specified for IP address "any" and port "7275," and the protocol is "ulp." I enabled the SSL debug logging, and I noticed the following: For the trace that can't be decrypted I see the following:ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 ssl_decrypt_pre_master_secret: session uses DH (17) key exchange, which is impossible to decryptwhile for the snoop that /can/ be decrypted I see the following:ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17 pre master encrypted[256]:and then a key in hex follows. I have no clue how to further investigate this issue, my only guess that this is a bug in WireShark. Any advice? If it helps I could send the SSL debug logs, but I would remove all hex dump from them as I know too little about this, and I can't inadvertently disclose the server private key. Kind regards, Ralf ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 16)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 17)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 15)
- Re: Strange SSL decode issue (SUPL, ULP) Jaap Keuter (Apr 14)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 27)
- Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)
- Re: Strange SSL decode issue (SUPL, ULP) Ralf G. R. Bergs (Apr 28)
- Re: Strange SSL decode issue (SUPL, ULP) Sake Blok (Apr 28)