0
votes

cannot decrypt HTTPS with Wireshark. the steps done are described as follows. can anybody help to throw light on this? thx!

step 1: start a http server

    C:\Users\ebinshe\Documents\projects\test-openssl
    λ echo 'hello, world.' >index.txt

    C:\Users\ebinshe\Documents\projects\test-openssl
    λ openssl s_server -key key.pem -cert cert.pem -WWW
    Using default temp DH parameters
    ACCEPT

step 2: test it with "openssl" and catch the traffic with "RawCap.exe"

    C:\Users\ebinshe\Documents\projects\test-openssl
    λ openssl s_client -crlf -cipher 'DHE-RSA-AES128-SHA' -host localhost  -port 4433 -no_tls1_2
    CONNECTED(00000003)
    depth=0 CN = localhost
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = localhost
    verify return:1
    ---
    Certificate chain
     0 s:/CN=localhost
       i:/CN=localhost
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIC+zCCAeOgAwIBAgIJAJ6LbmE3wd3bMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
    BAMMCWxvY2FsaG9zdDAeFw0xNzEwMjkxMDE0MjhaFw0xNzExMjgxMDE0MjhaMBQx
    EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
    ggEBALZEnU+F4XknWZRvbtkZoKhbcoOguYUPbrucYREsjN+o9i4N8kmtNpiqDav+
    J68Uk0r4o3WGhtAoaLdbqny1U+mWuMGUrwHi2fR1X7T6IZHOKLhqdbJLi9i3V7KD
    7FLhz20ttbUQHaKlA5BqBiEYptRYOpFrK75R3UFdBGG8SBAoMitqzzLERwPbZDqH
    Lk8ZWDLXLnmbDh0jda3B26yjCB9UHCwKJNCqqIDajmOhPq8khH32ZPQQ3NPndNTa
    fob5e/vJgjBCHHX7wutIG6fUfuBnokUE2R+Wkg3iGu8fHQ0SY+6Wlmk+nTeJ+HeK
    1anuqhwxjZ9Xj1HTGGJIS/JxIlsCAwEAAaNQME4wHQYDVR0OBBYEFOhulfYh0HDL
    ItQwXVsceqOdlSx1MB8GA1UdIwQYMBaAFOhulfYh0HDLItQwXVsceqOdlSx1MAwG
    A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKlMRvbkQIrvtBTJH7+1c/Dr
    JFR0VhOdDHCDWm1mSw+o+REffaGJHzLUztq2fx7Tciqcsd+5E+RsNn7ySYxiMohD
    ud25g/sBoGTqiayNGAJMOSK3/ndskXh9rnLzPBwJ1RRXcTn4aCYYSoddhyfM1Dzl
    4SMQkPAW1uMWisPXfl9d7LFzC2wkMj/YswGNkKnEOUIjyfxgexaXgFbOf6+FrUmU
    SWcBaw44YOwAYLEL7cVoOo9TXe/i3cSlNJMw6Q8306nnCiiyMAqDN2wTcQUzzDx6
    jGGr5eDMuMLC5slWlOK1X7lEA1kNX6uPSktL2TGnzgq7a4nbxjBFHDDa/3/dcU8=
    -----END CERTIFICATE-----
    subject=/CN=localhost
    issuer=/CN=localhost
    ---
    No client certificate CA names sent
    Server Temp Key: DH, 2048 bits
    ---
    SSL handshake has read 1890 bytes and written 442 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: zlib compression
    Expansion: zlib compression
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.1
        Cipher    : DHE-RSA-AES128-SHA
        Session-ID: 02F8CB0E6E0BD370A7128C5DE27FC8B3A65A8C212FB91E3A389FB447CB651769
        Session-ID-ctx:
        Master-Key: 907B687CA8045DCEFB9A168316B6D47C12CC8C6F9EEAB6590427610BD4ACB00CACC2170CB80370EBBF15E5E32204C211
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 6c 5c 1b df f9 18 4b d0-5d c0 a9 f6 90 c1 d4 d1   l\....K.].......
        0010 - 71 1e 4b f9 80 f4 f5 d3-fd 12 f7 92 11 2b a3 be   q.K..........+..
        0020 - 59 31 f2 39 84 cd c9 c6-1b 9b bb f9 9f dd 1c dd   Y1.9............
        0030 - 8d 97 3b 1f 75 6f 9c 78-dc 63 73 8b b7 ac 9d d0   ..;.uo.x.cs.....
        0040 - 20 a3 f1 7e f5 c4 ae b4-56 d5 e1 bd e7 70 21 bb    ..~....V....p!.
        0050 - 08 f3 d3 6d fd 1b 6b a8-e6 92 de 13 c9 51 3e 0a   ...m..k......Q>.
        0060 - ee 54 98 0f 79 f3 fe cf-4f e2 a8 47 68 9e 58 f8   .T..y...O..Gh.X.
        0070 - 9d f6 98 28 2d 7f 23 fc-f5 5e 34 ec 5c 30 43 a4   ...(-.#..^4.\0C.
        0080 - e1 4c 3e 92 41 b2 f5 18-68 8f 6c f8 84 5c 11 3a   .L>.A...h.l..\.:
        0090 - 30 11 8a 7a 56 e0 18 3d-c3 27 a2 e5 26 f0 b4 2e   0..zV..=.'..&...

    Compression: 1 (zlib compression)
    Start Time: 1509640881
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
    ---
    GET /index.txt HTTP/1.1
    HTTP/1.0 200 ok
    Content-type: text/plain

    'hello, world.'
    read:errno=0

step 3: create key.log from

    Session-ID: 02F8CB0E6E0BD370A7128C5DE27FC8B3A65A8C212FB91E3A389FB447CB651769
    Master-Key: 907B687CA8045DCEFB9A168316B6D47C12CC8C6F9EEAB6590427610BD4ACB00CACC2170CB80370EBBF15E5E32204C211

the resulted key.log

    CLIENT_RANDOM 02F8CB0E6E0BD370A7128C5DE27FC8B3A65A8C212FB91E3A389FB447CB651769 907B687CA8045DCEFB9A168316B6D47C12CC8C6F9EEAB6590427610BD4ACB00CACC2170CB80370EBBF15E5E32204C211

step 4: point Wireshark SSL "(Pre)-Master-Secret log filename" to it.

load the traffic with Wireshark. the SSL data frames are not decrypted.

the Wireshark SSL debug log:

λ cat debug.log
Wireshark SSL debug log

Wireshark version: 2.4.2 (v2.4.2-0-gb6c63ae086)
GnuTLS version:    3.4.11
Libgcrypt version: 1.7.6


dissect_ssl enter frame #463 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 95, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100
Calculating hash with offset 5 95
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #465 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 1460
ssl_try_set_version found version 0x0302 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 58, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
Calculating hash with offset 5 58
ssl_try_set_version found version 0x0302 -> state 0x11
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA -> state 0x17
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
  checking keylog line: # SSL/TLS secrets log file, generated by NSS
    unrecognized line
  checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
    matched client_random
tls13_change_key TLS version 0x302 is not 1.3
tls13_change_key TLS version 0x302 is not 1.3
  record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 777, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
Calculating hash with offset 68 777
lookup(KeyID)[20]:
| 73 ab d9 0c d6 09 d6 06 b9 d7 28 b9 25 12 85 bb |s.........(.%...|
| c2 14 09 02                                     |....            |
ssl_find_private_key_by_pubkey: lookup result: 0000000000000000
  record: offset = 845, reported_length_remaining = 615
  need_desegmentation: offset = 845, reported_length_remaining = 615

dissect_ssl enter frame #466 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 781, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786
Calculating hash with offset 5 781

dissect_ssl enter frame #466 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 4, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9
Calculating hash with offset 5 4

dissect_ssl enter frame #468 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 262, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
Calculating hash with offset 5 262
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: # SSL/TLS secrets log file, generated by NSS
    unrecognized line
  checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
    matched client_random
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret
  record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: # SSL/TLS secrets log file, generated by NSS
    unrecognized line
  checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
    matched client_random
ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
  record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 64, ssl state 0x17
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342

dissect_ssl enter frame #470 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 170, ssl state 0x17
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
Calculating hash with offset 5 170
ssl_save_master_key not saving empty (pre-)master secret for Session Ticket!
  record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Not using Session resumption
trying to use SSL keylog in C:\Users\ebinshe\sslkeylogfile.log
ssl_load_keyfile file got deleted, trying to re-open
  checking keylog line: # SSL/TLS secrets log file, generated by NSS
    unrecognized line
  checking keylog line: CLIENT_RANDOM DCD58E1764FDC7A5EA5BC169ED4C96C0D6661120F8A02E96D524F33C155DB934 4DF856122B924EC0E5CA53F1DCE0C95F1FEC1E315E552619DCB5E3963DCAD47A41FF301BAEA33743FADD2E636A0A1D52
    matched client_random
ssl_finalize_decryption state = 0x417
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
  record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 64, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250

dissect_ssl enter frame #472 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 80, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #474 (first time)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 112, ssl state 0x417
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #478 (first time)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 000000000836DF80
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert
decrypt_ssl3_record: app_data len 48, ssl state 0x417
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100

dissect_ssl enter frame #465 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
  record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
  record: offset = 845, reported_length_remaining = 615
  need_desegmentation: offset = 845, reported_length_remaining = 615

dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786

dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9

dissect_ssl enter frame #468 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
  record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342

dissect_ssl enter frame #470 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
  record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250

dissect_ssl enter frame #472 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #478 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100

dissect_ssl enter frame #465 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
  record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
  record: offset = 845, reported_length_remaining = 615
  need_desegmentation: offset = 845, reported_length_remaining = 615

dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786

dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9

dissect_ssl enter frame #468 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
  record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342

dissect_ssl enter frame #470 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
  record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250

dissect_ssl enter frame #472 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #478 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100

dissect_ssl enter frame #463 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 100
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 91 bytes, remaining 100

dissect_ssl enter frame #465 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 1460
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63
  record: offset = 63, reported_length_remaining = 1397
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 11 offset 68 length 773 bytes, remaining 845
  record: offset = 845, reported_length_remaining = 615
  need_desegmentation: offset = 845, reported_length_remaining = 615

dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 786
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 12 offset 5 length 777 bytes, remaining 786

dissect_ssl enter frame #466 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 9
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 14 offset 5 length 0 bytes, remaining 9

dissect_ssl enter frame #468 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 342
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
  record: offset = 267, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 273, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 103 offset 278 length 7643659 bytes, remaining 342

dissect_ssl enter frame #470 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 250
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175
  record: offset = 175, reported_length_remaining = 75
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 181, reported_length_remaining = 69
dissect_ssl3_record: content_type 22 Handshake
dissect_ssl3_handshake iteration 1 type 83 offset 186 length 7227761 bytes, remaining 250

dissect_ssl enter frame #472 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data

dissect_ssl enter frame #478 (already visited)
packet_from_server: is from server - FALSE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 53
dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #474 (already visited)
packet_from_server: is from server - TRUE
  conversation = 000000000836D550, ssl_session = 0000000000000000
  record: offset = 0, reported_length_remaining = 117
dissect_ssl3_record: content_type 23 Application Data
1

1 Answers

0
votes

ok, i found the clue myself. even the most current openssl version, i.e. 1.1.0f has not supported key log. simply take Session-ID and Master-Key from the log doesn't work. the new option -keylogfile will be supported most probably in the next version of openssl. see the following for more details.

c:\Program Files (x86)\OpenSSL-Win32\bin
λ .\openssl.exe version -a
OpenSSL 1.1.0f  25 May 2017
built on: reproducible build, date unspecified
platform:
compiler: cl " "VC-WIN32
OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"
ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"

c:\Program Files (x86)\OpenSSL-Win32\bin
λ which openssl
c:\Program Files (x86)\OpenSSL-Win32\bin
λ "c:\Program Files (x86)\OpenSSL-Win32\bin\openssl.exe" s_client -crlf  -connect localhost:4433 -keylogfile c:\Users\ebinshe\keylogfile.log
s_client: Option unknown option -keylogfile
s_client: Use -help for summary.

c:\Program Files (x86)\OpenSSL-Win32\bin