[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] HTTP/2 decrytion with sslkeylog
From: Muhui Jiang <jiangmuhui () gmail ! com>
Date: 2017-08-22 15:03:38
Message-ID: CAF_eCerROFJTO+2LLghLTm+E7QE-sAQ1O7LiL3s2disegXfERA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi All
Almost a half year has passed since this thread is created. Tonight, I
tried once again and I succeed!!!
I can decode the SSL into HTTP/2 completely. Thanks Miroslav Rovis. Thanks
for your encouragement. Thanks everybody who give me the suggestions. I
would be very happy if anyone my help in decoding the HTTP/2 traffic. And I
would also be happy to share my configurations.
Regards
Muhui
2017-01-19 21:03 GMT+08:00 Miroslav Rovis <miro.rovis@croatiafidelis.hr>:
> On 170119-11:56+0000, Graham Bloice wrote:
> > On 19 January 2017 at 06:38, Muhui Jiang <jiangmuhui@gmail.com> wrote:
> >
> > > Hi all
> > >
> > > Thanks for your replied, I just thought that I may not get the reply
> > > anymore.
> > >
> > > Thanks Miroslav Rovis. Thanks for your encouragement,
> You are welcome, Muhui!
>
> > > though I still
> > > didn't figure my problem out. I tried nearly one hundred times, which
> makes
> > > me doubt about myself :(. But I will continue work on this problem.
> > >
> > > I ever asked the same question in ask.wireshark.org, but get no
> answer. I
> > > ever see someone who post articles introducing the HTTP/2
> decryption,which
> > > is nearly the same as SSL decryption. I tried, but failed.
> It may not be too late, if you go the way that Graham Boice suggest
> below.
>
> > > Here I want to say again, anyone who has decrypt the HTTP/2
> successfully
> > > and completely, I hope to get your help to tell me your configurations
> and
> > > environments. Thank you so much.
> I haven't, because I disable HTTP2/SPDY, but I have been posting
> complete or near complete (usually only when I need to remove
> frame.number's with passwords) traces (less important, but appealing to
> non-experts: along with screencasts), and surely along with the
> corresponding part of the $SSLKELOGFILE's at (my NGO's website):
> http://www.croatiafidelis.hr/foss/cap/
> (
> latest example being the directory:
> Secret Agent Palemoon Addon
> http://www.croatiafidelis.hr/foss/cap/cap-170117-SA/
> where I don't know it the (near) complete story, yet to follow, will be
> of much use to solve the issue in question there with the developer of
> the addon, which I needed to publish my attempt about contacting the
> dev at:
> Secret Agent issues
> https://forum.palemoon.org/viewtopic.php?f=50&t=14541
> > > Besides, do you think whether I need to post this question to the
> > > dev-mailing list, which may get a appropriate solution.
> > >
> > > Regards
> > > Muhui
> > >
> > >
> > The dev mailing list is for development questions so wouldn't generally
> be
> > appropriate for this type of question unless it turns out to be a bug.
> >
> > As all Wireshark contributors, bar Gerald, are volunteers on the project
> > our ability to respond to user questions, or bugs or anything else is
> > limited by our time, our abilities and our curiosity.
> >
> > In this particular case it would seem that no-one else has a capture of
> TLS
> > encrypted HTTP2 traffic with the associated keylog so that the decryption
> > could be tested.
>
> This is what I have beeing doing on my NGO's website that I linked
> above:
> > Providing such a capture and keylog and the Wireshark ssl
> > debug log along with question is much more likely to get a response.
> That above is important!
> ( Essentially, for any lurking readers, go from:
> https://wiki.wireshark.org/SSL
> and you can also use my:
> https://github.com/miroR/tshark-streams once you setup keylogging ;-) )
>
> > The docs aren't very clear on the use of the ssl debug log, but it's
> > set in the SSL dissector preferences.
> >
> > Fundamentally, I don't think using HTTP2 is any different to HTTP as far
> as
> > TLS decryption is concerned and as decryption of that works the
> probability
> > is that there's something wrong in the originators decryption setup.
> Another important point above!
>
> And the below is, at this stage, above me ;-) . Well, also because I'm
> out of time...
> > Pre-master secret decryption is part of the tests run for every build
> > resulting from a Wireshark commit to the source repository, e.g.
> > https://buildbot.wireshark.org/wireshark-master/builders/
> Windows%20Server%202012%20R2%20x64/builds/2660/steps/test.sh/logs/stdio
> > (look for Section 6 decryption).
> >
> >
> > >
> > > 2017-01-19 10:00 GMT+08:00 Miroslav Rovis <
> miro.rovis@croatiafidelis.hr>:
> > >
> > >> On 170118-18:51+0000, Graham Bloice wrote:
> > >> > On 18 January 2017 at 18:43, Jim Aragon <Jim@agdatasystems.com>
> wrote:
> > >> >
> > >> > > At 09:39 AM 1/18/2017, you wrote:
> > >> > >
> > >> > > >(Not much at all from me, but...)
> > >> > > >But for some reason, it seems the talk has gone elsewhere, or
> that
> > >> lost
> > >> > > >of poeple are even afraid to learn what is really happening with
> in
> > >> their
> > >> > > >machines when on the internet...
> > >> > >
> > >> > > You're right, the talk has gone elsewhere. Specifically, almost
> > >> everyone
> > >> > > who used to monitor the mailing list has moved to the Wireshark
> > >> Question
> > >> > > and Answer site, ask.wireshark.org. That's now a better place for
> > >> asking
> > >> > > Wireshark questions, and you are much more likely to get an answer
> > >> there.
> > >> > >
> > >> > >
> > >> > Where the appropriate question is:
> > >> > https://ask.wireshark.org/questions/58758/http2-decrytion-
> > >> with-sslkeylog
> > >> and where it hasn't received any replies yet either ;-)
> > >>
> > >> I've watched not a small number of videos from Wireshark people
> > >> recently, and I have to say I've become all the more of a fan of
> people
> > >> who make the reading of the network available to all the end users of
> > >> the world who are not afraid of learning.
> > >>
> > >> I'm (almost) 60 and I don't memorize names and events/procedures/facts
> > >> unless I re-read/re-view/re-talk on the subject of the memorization,
> > >> but...
> > >>
> > >> But I just very much like Gerald who invented Wireshark...
> > >>
> > >> And the CEO of the Riverbed (the Yankees fan and the baseball judge)
> is
> > >> great too (God, what a fascinating pedagogical, heuristical, simple
> but
> > >> comprising explanations!)... Terribly intriguing that he don't like
> > >> coloring in Wireshark ;-) !
> > >>
> > >> And the guy that currently works on the anonymization program, and who
> > >> is a good English speaker but is German/Austrian/<some-other-
> Teutonic>
> > >> national (originally)...
> > >>
> > >> And the guy I think, who in 2014(?) made Wireshark decrypt SSL! Sake
> > >> Blok or so? The Dutch scuba diver...
> > >>
> > >> And the other one who Evangelically (in the non-denominative Christian
> > >> way) gave everything to the poor, and now came back and works, and
> still
> > >> doesn't even have the car or a house of his own... but is so happy!
> > >>
> > >> And the Japanese girl...
> > >>
> > >> And the others... I've currently little time, I sure always dump local
> > >> traces (local till I find the money to do it properly, even running
> > >> another machine for tracing is too costly at this time...)... Always,
> > >> but only, that... And I have too little time right now to
> > >> re-read/re-view as I said above that I need...
> > >>
> > >> And I'm glad that the company is doing great!
> > >>
> > >> Regards to everybody!
> > >> --
> > >> Miroslav Rovis
> > >> Zagreb, Croatia
> > >> http://www.CroatiaFidelis.hr
> > >>
> > >>
> >
> >
> > --
> > Graham Bloice
>
> So you too are a dev! It would take me many more years of hard work to
> become one, but I admire you guys and gals! Thank you for your kindness!
>
> And I wish Muhui good luck in, if that is the underlying issue, getting
> the setup right, and then getting the necessary support!
> --
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr
>
> ____________________________________________________________
> _______________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org?subject=
> unsubscribe
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi All<div><br></div><div>Almost a half year has passed since this \
thread is created. Tonight, I tried once again and I \
succeed!!!</div><div><br></div><div>I can decode the SSL into HTTP/2 completely. \
Thanks Miroslav Rovis. Thanks for your encouragement. Thanks everybody who give me \
the suggestions. I would be very happy if anyone my help in decoding the HTTP/2 \
traffic. And I would also be happy to share my configurations. \
</div><div><br></div><div>Regards</div><div>Muhui</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">2017-01-19 21:03 GMT+08:00 Miroslav \
Rovis <span dir="ltr"><<a href="mailto:miro.rovis@croatiafidelis.hr" \
target="_blank">miro.rovis@croatiafidelis.hr</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On 170119-11:56+0000, Graham Bloice wrote:<br> \
> On 19 January 2017 at 06:38, Muhui Jiang <<a \
href="mailto:jiangmuhui@gmail.com">jiangmuhui@gmail.com</a>> wrote:<br> ><br>
> > Hi all<br>
> ><br>
> > Thanks for your replied, I just thought that I may not get the reply<br>
> > anymore.<br>
> ><br>
> > Thanks Miroslav Rovis. Thanks for your encouragement,<br>
</span>You are welcome, Muhui!<br>
<span class=""><br>
> > though I still<br>
> > didn't figure my problem out. I tried nearly one hundred times, which \
makes<br> > > me doubt about myself :(. But I will continue work on this \
problem.<br> > ><br>
> > I ever asked the same question in <a href="http://ask.wireshark.org" \
rel="noreferrer" target="_blank">ask.wireshark.org</a>, but get no answer. I<br> > \
> ever see someone who post articles introducing the HTTP/2 decryption,which<br> \
> > is nearly the same as SSL decryption. I tried, but failed.<br> </span>It \
may not be too late, if you go the way that Graham Boice suggest<br> below.<br>
<span class=""><br>
> > Here I want to say again, anyone who has decrypt the HTTP/2 \
successfully<br> > > and completely, I hope to get your help to tell me your \
configurations and<br> > > environments. Thank you so much.<br>
</span>I haven't, because I disable HTTP2/SPDY, but I have been posting<br>
complete or near complete (usually only when I need to remove<br>
frame.number's with passwords) traces (less important, but appealing to<br>
non-experts: along with screencasts), and surely along with the<br>
corresponding part of the $SSLKELOGFILE's at (my NGO's website):<br>
<a href="http://www.croatiafidelis.hr/foss/cap/" rel="noreferrer" \
target="_blank">http://www.croatiafidelis.hr/<wbr>foss/cap/</a><br> (<br>
latest example being the directory:<br>
Secret Agent Palemoon Addon<br>
<a href="http://www.croatiafidelis.hr/foss/cap/cap-170117-SA/" rel="noreferrer" \
target="_blank">http://www.croatiafidelis.hr/<wbr>foss/cap/cap-170117-SA/</a><br> \
where I don't know it the (near) complete story, yet to follow, will be<br> of \
much use to solve the issue in question there with the developer of<br> the addon, \
which I needed to publish my attempt about contacting the<br> dev at:<br>
Secret Agent issues<br>
<a href="https://forum.palemoon.org/viewtopic.php?f=50&t=14541" rel="noreferrer" \
target="_blank">https://forum.palemoon.org/<wbr>viewtopic.php?f=50&t=14541</a><br>
<span class="">> > Besides, do you think whether I need to post this question \
to the<br> > > dev-mailing list, which may get a appropriate solution.<br>
> ><br>
> > Regards<br>
> > Muhui<br>
> ><br>
> ><br>
> The dev mailing list is for development questions so wouldn't generally \
be<br> > appropriate for this type of question unless it turns out to be a \
bug.<br> ><br>
> As all Wireshark contributors, bar Gerald, are volunteers on the project<br>
> our ability to respond to user questions, or bugs or anything else is<br>
> limited by our time, our abilities and our curiosity.<br>
><br>
> In this particular case it would seem that no-one else has a capture of TLS<br>
> encrypted HTTP2 traffic with the associated keylog so that the decryption<br>
> could be tested.<br>
<br>
</span>This is what I have beeing doing on my NGO's website that I linked<br>
above:<br>
<span class="">> Providing such a capture and keylog and the Wireshark ssl<br>
> debug log along with question is much more likely to get a response.<br>
</span>That above is important!<br>
( Essentially, for any lurking readers, go from:<br>
<a href="https://wiki.wireshark.org/SSL" rel="noreferrer" \
target="_blank">https://wiki.wireshark.org/SSL</a><br> and you can also use my:<br>
<a href="https://github.com/miroR/tshark-streams" rel="noreferrer" \
target="_blank">https://github.com/miroR/<wbr>tshark-streams</a> once you setup \
keylogging ;-) )<br> <span class=""><br>
> The docs aren't very clear on the use of the ssl debug log, but it's<br>
> set in the SSL dissector preferences.<br>
><br>
> Fundamentally, I don't think using HTTP2 is any different to HTTP as far \
as<br> > TLS decryption is concerned and as decryption of that works the \
probability<br> > is that there's something wrong in the originators \
decryption setup.<br> </span>Another important point above!<br>
<br>
And the below is, at this stage, above me ;-) . Well, also because I'm<br>
out of time...<br>
<div><div class="h5">> Pre-master secret decryption is part of the tests run for \
every build<br> > resulting from a Wireshark commit to the source repository, \
e.g.<br> > <a href="https://buildbot.wireshark.org/wireshark-master/builders/Windows%20Server%202012%20R2%20x64/builds/2660/steps/test.sh/logs/stdio" \
rel="noreferrer" target="_blank">https://buildbot.wireshark.<wbr>org/wireshark-master/ \
builders/<wbr>Windows%20Server%202012%20R2%<wbr>20x64/builds/2660/steps/test.<wbr>sh/logs/stdio</a><br>
> (look for Section 6 decryption).<br>
><br>
><br>
> ><br>
> > 2017-01-19 10:00 GMT+08:00 Miroslav Rovis <<a \
href="mailto:miro.rovis@croatiafidelis.hr">miro.rovis@croatiafidelis.hr</a>><wbr>:<br>
> ><br>
> >> On 170118-18:51+0000, Graham Bloice wrote:<br>
> >> > On 18 January 2017 at 18:43, Jim Aragon <<a \
href="mailto:Jim@agdatasystems.com">Jim@agdatasystems.com</a>> wrote:<br> > \
>> ><br> > >> > > At 09:39 AM 1/18/2017, you wrote:<br>
> >> > ><br>
> >> > > >(Not much at all from me, but...)<br>
> >> > > >But for some reason, it seems the talk has gone \
elsewhere, or that<br> > >> lost<br>
> >> > > >of poeple are even afraid to learn what is really \
happening with in<br> > >> their<br>
> >> > > >machines when on the internet...<br>
> >> > ><br>
> >> > > You're right, the talk has gone elsewhere. Specifically, \
almost<br> > >> everyone<br>
> >> > > who used to monitor the mailing list has moved to the \
Wireshark<br> > >> Question<br>
> >> > > and Answer site, <a href="http://ask.wireshark.org" \
rel="noreferrer" target="_blank">ask.wireshark.org</a>. That's now a better place \
for<br> > >> asking<br>
> >> > > Wireshark questions, and you are much more likely to get an \
answer<br> > >> there.<br>
> >> > ><br>
> >> > ><br>
> >> > Where the appropriate question is:<br>
> >> > <a \
href="https://ask.wireshark.org/questions/58758/http2-decrytion-" rel="noreferrer" \
target="_blank">https://ask.wireshark.org/<wbr>questions/58758/http2-<wbr>decrytion-</a><br>
> >> with-sslkeylog<br>
> >> and where it hasn't received any replies yet either ;-)<br>
> >><br>
> >> I've watched not a small number of videos from Wireshark people<br>
> >> recently, and I have to say I've become all the more of a fan of \
people<br> > >> who make the reading of the network available to all the end \
users of<br> > >> the world who are not afraid of learning.<br>
> >><br>
> >> I'm (almost) 60 and I don't memorize names and \
events/procedures/facts<br> > >> unless I re-read/re-view/re-talk on the \
subject of the memorization,<br> > >> but...<br>
> >><br>
> >> But I just very much like Gerald who invented Wireshark...<br>
> >><br>
> >> And the CEO of the Riverbed (the Yankees fan and the baseball judge) \
is<br> > >> great too (God, what a fascinating pedagogical, heuristical, \
simple but<br> > >> comprising explanations!)... Terribly intriguing that he \
don't like<br> > >> coloring in Wireshark ;-) !<br>
> >><br>
> >> And the guy that currently works on the anonymization program, and \
who<br> > >> is a good English speaker but is \
German/Austrian/<some-other-<wbr>Teutonic><br> > >> national \
(originally)...<br> > >><br>
> >> And the guy I think, who in 2014(?) made Wireshark decrypt SSL! \
Sake<br> > >> Blok or so? The Dutch scuba diver...<br>
> >><br>
> >> And the other one who Evangelically (in the non-denominative \
Christian<br> > >> way) gave everything to the poor, and now came back and \
works, and still<br> > >> doesn't even have the car or a house of his \
own... but is so happy!<br> > >><br>
> >> And the Japanese girl...<br>
> >><br>
> >> And the others... I've currently little time, I sure always dump \
local<br> > >> traces (local till I find the money to do it properly, even \
running<br> > >> another machine for tracing is too costly at this \
time...)... Always,<br> > >> but only, that... And I have too little time \
right now to<br> > >> re-read/re-view as I said above that I need...<br>
> >><br>
> >> And I'm glad that the company is doing great!<br>
> >><br>
> >> Regards to everybody!<br>
> >> --<br>
> >> Miroslav Rovis<br>
> >> Zagreb, Croatia<br>
> >> <a href="http://www.CroatiaFidelis.hr" rel="noreferrer" \
target="_blank">http://www.CroatiaFidelis.hr</a><br> > >><br>
> >><br>
><br>
><br>
> --<br>
> Graham Bloice<br>
<br>
</div></div>So you too are a dev! It would take me many more years of hard work \
to<br> become one, but I admire you guys and gals! Thank you for your kindness!<br>
<br>
And I wish Muhui good luck in, if that is the underlying issue, getting<br>
the setup right, and then getting the necessary support!<br>
<div class="HOEnZb"><div class="h5">--<br>
Miroslav Rovis<br>
Zagreb, Croatia<br>
<a href="http://www.CroatiaFidelis.hr" rel="noreferrer" \
target="_blank">http://www.CroatiaFidelis.hr</a><br> \
</div></div><br>______________________________<wbr>______________________________<wbr>_______________<br>
Sent via: Wireshark-users mailing list <<a \
href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a><wbr>><br>
Archives: <a href="https://www.wireshark.org/lists/wireshark-users" \
rel="noreferrer" target="_blank">https://www.wireshark.org/<wbr>lists/wireshark-users</a><br>
Unsubscribe: <a href="https://www.wireshark.org/mailman/options/wireshark-users" \
rel="noreferrer" target="_blank">https://www.wireshark.org/<wbr>mailman/options/wireshark-<wbr>users</a><br>
mailto:<a href="mailto:wireshark-users-request@wireshark.org">wireshark-users-<wbr>r \
equest@wireshark.org</a>?subject=<wbr>unsubscribe<br></blockquote></div><br></div>
[Attachment #6 (text/plain)]
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic