From d697faf7ded0c279954dad247a02516b40f89347 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sat, 14 Sep 2013 23:13:48 +0200 Subject: Initial commit of notes, dumps and scripts --- tls/works/debug.txt | 2685 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2685 insertions(+) create mode 100644 tls/works/debug.txt (limited to 'tls/works/debug.txt') diff --git a/tls/works/debug.txt b/tls/works/debug.txt new file mode 100644 index 0000000..99bf4ef --- /dev/null +++ b/tls/works/debug.txt @@ -0,0 +1,2685 @@ +Wireshark SSL debug log + + +dissect_ssl enter frame #4 (first time) +ssl_session_init: initializing ptr 0x7fb94d3c6060 size 688 + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 317, ssl state 0x00 +association_find: TCP port 40347 found (nil) +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 +packet_from_server: is from server - FALSE +ssl_find_private_key server 127.0.0.1:4434 +ssl_find_private_key can't find private key for this server! Try it again with universal port 0 +ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 +ssl_find_private_key can't find any private key! +dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 + +dissect_ssl enter frame #6 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 1224 +dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 58, ssl state 0x11 +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 +dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 +ssl_restore_session can't find stored session +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 +found master secret in key log + cannot find master secret in keylog file either +dissect_ssl3_hnd_srv_hello found CIPHER 0x0003 -> state 0x37 +dissect_ssl3_hnd_srv_hello trying to generate keys +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| +| 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| +| ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e 9f e9 60 |m...@...~!.....`| +| 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 52 34 c6 |_....~...3B?.R4.| +| 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 20 9e 04 |mQ...'....v.. ..| +| bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 |.}.hB.0.....` | +hash out[64]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +| 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| +| 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| +PRF out[64]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +| 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| +| 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| +key expansion[64]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +| 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| +| 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| +ssl_generate_keyring_material PRF(key_c) +tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) +tls_hash: hash secret[5]: +| 2a d2 9d 68 d8 |*..h. | +tls_hash: hash seed[80]: +| 63 6c 69 65 6e 74 20 77 72 69 74 65 20 6b 65 79 |client write key| +| 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| +| 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| +| 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| +| 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| +hash out[32]: +| f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| +| 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| +PRF out[32]: +| f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| +| 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| +ssl_generate_keyring_material PRF(key_s) +tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) +tls_hash: hash secret[5]: +| 4d fc b6 f8 ae |M.... | +tls_hash: hash seed[80]: +| 73 65 72 76 65 72 20 77 72 69 74 65 20 6b 65 79 |server write key| +| 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| +| 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| +| 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| +| 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| +hash out[32]: +| 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| +| e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| +PRF out[32]: +| 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| +| e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| +Client MAC key[16]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +Server MAC key[16]: +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +Client Write key[16]: +| f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| +Server Write key[16]: +| 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| +Client Write IV[8]: +| 01 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 52 11 00 00 00 00 00 00 |R....... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material: client seq 0, server seq 0 + record: offset = 63, reported_length_remaining = 1161 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 807, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 + record: offset = 875, reported_length_remaining = 349 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 335, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 12 offset 880 length 331 bytes, remaining 1215 + record: offset = 1215, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 4, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 14 offset 1220 length 0 bytes, remaining 1224 + +dissect_ssl enter frame #8 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 118 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 70, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842... +looking for RSA pre-master16d2f55f7a48600295b03b793d314964da596512daf0f864... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 +found master secret in key log +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| +| 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| +| ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e 9f e9 60 |m...@...~!.....`| +| 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 52 34 c6 |_....~...3B?.R4.| +| 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 20 9e 04 |mQ...'....v.. ..| +| bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 |.}.hB.0.....` | +hash out[64]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +| 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| +| 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| +PRF out[64]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +| 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| +| 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| +key expansion[64]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +| 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| +| 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| +ssl_generate_keyring_material PRF(key_c) +tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) +tls_hash: hash secret[5]: +| 2a d2 9d 68 d8 |*..h. | +tls_hash: hash seed[80]: +| 63 6c 69 65 6e 74 20 77 72 69 74 65 20 6b 65 79 |client write key| +| 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| +| 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| +| 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| +| 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| +hash out[32]: +| f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| +| 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| +PRF out[32]: +| f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| +| 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| +ssl_generate_keyring_material PRF(key_s) +tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) +tls_hash: hash secret[5]: +| 4d fc b6 f8 ae |M.... | +tls_hash: hash seed[80]: +| 73 65 72 76 65 72 20 77 72 69 74 65 20 6b 65 79 |server write key| +| 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| +| 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| +| 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| +| 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| +hash out[32]: +| 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| +| e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| +PRF out[32]: +| 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| +| e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| +Client MAC key[16]: +| 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| +Server MAC key[16]: +| 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| +Client Write key[16]: +| f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| +Server Write key[16]: +| 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| +Client Write IV[8]: +| 00 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 20 33 72 03 00 00 00 00 | 3r..... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material: client seq 0, server seq 0 +ssl_save_session stored session id[0]: +ssl_save_session stored master secret[48]: +| ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| +| 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| +| ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| +dissect_ssl3_handshake session keys successfully generated + record: offset = 75, reported_length_remaining = 43 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - FALSE +ssl_change_cipher CLIENT + record: offset = 81, reported_length_remaining = 37 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 32, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 32 +Ciphertext[32]: +| 0c 86 a2 bc de 0d 24 3b 1d 1c 56 b8 d3 e9 73 05 |......$;..V...s.| +| ef 05 0a db 68 49 61 31 80 40 7b 58 62 30 ab 88 |....hIa1.@{Xb0..| +Plaintext[32]: +| 14 00 00 0c 8b 25 2d b9 b2 dd 96 62 d4 df 11 af |.....%-....b....| +| 99 f6 61 40 fd e5 7f 7d 95 f5 9b a6 24 2a e0 28 |..a@...}....$*.(| +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 99 f6 61 40 fd e5 7f 7d 95 f5 9b a6 24 2a e0 28 |..a@...}....$*.(| +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #9 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 218 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 170, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 43 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - TRUE +ssl_change_cipher SERVER + record: offset = 181, reported_length_remaining = 37 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 32, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 32 +Ciphertext[32]: +| 86 fb 19 42 20 48 8f e1 9a ca 86 72 f7 a0 1e 13 |...B H.....r....| +| 64 83 8e ac 3b 78 41 28 08 d8 c5 d5 e3 99 69 29 |d...;xA(......i)| +Plaintext[32]: +| 14 00 00 0c 4b dc 35 37 6a 7a 28 83 2b 72 4e 1d |....K.57jz(.+rN.| +| 57 c0 31 5f ae fa 7b 9b 9e 78 9e bc 53 9b fd 75 |W.1_..{..x..S..u| +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 57 c0 31 5f ae fa 7b 9b 9e 78 9e bc 53 9b fd 75 |W.1_..{..x..S..u| +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #10 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 86 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 81, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 81 +Ciphertext[81]: +| ad 37 80 c8 d6 8e 5a 85 2b b4 ad 33 89 9d 47 d5 |.7....Z.+..3..G.| +| d6 d6 34 87 6f ac 85 f6 10 df 66 1f f4 01 a4 00 |..4.o.....f.....| +| 60 ed 73 e6 bf 68 7a 36 64 b5 4a 7e 7f 09 fb cc |`.s..hz6d.J~....| +| 37 e7 1b 0b c4 78 05 7b e4 e9 e9 3d 82 98 da 03 |7....x.{...=....| +| d4 a0 4e 27 83 75 cf 75 c9 64 31 6c 77 36 11 cf |..N'.u.u.d1lw6..| +| 57 |W | +ssl_decrypt_record: allocating 113 bytes for decrypt data (old len 32) +Plaintext[81]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 78 70 2d 72 63 34 2d 6d 64 |Host: exp-rc4-md| +| 35 2e 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e |5.local.al.leken| +| 73 74 65 79 6e 2e 6e 6c 3a 34 34 33 34 0d 0a 0d |steyn.nl:4434...| +| 0a 0e f7 5e 2b 02 b1 83 6b 04 9b 7f f5 55 a5 77 |...^+...k....U.w| +| 99 |. | +checking mac (len 65, version 303, ct 23 seq 1) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 0e f7 5e 2b 02 b1 83 6b 04 9b 7f f5 55 a5 77 99 |..^+...k....U.w.| +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 65, seq = 0, nxtseq = 65 +association_find: TCP port 40347 found (nil) +association_find: TCP port 4434 found 0x33e0300 +dissect_ssl3_record decrypted len 65 +decrypted app data fragment[65]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 78 70 2d 72 63 34 2d 6d 64 |Host: exp-rc4-md| +| 35 2e 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e |5.local.al.leken| +| 73 74 65 79 6e 2e 6e 6c 3a 34 34 33 34 0d 0a 0d |steyn.nl:4434...| +| 0a |. | +dissect_ssl3_record found association 0x33e0300 + +dissect_ssl enter frame #11 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 376 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 371, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 371 +Ciphertext[371]: +| cc 91 10 b8 90 cc 5e 8d 25 8b fd fe c2 20 24 55 |......^.%.... $U| +| 81 95 ce 5d 0a 15 00 55 2d 51 93 a8 06 9a f6 ad |...]...U-Q......| +| b1 f5 65 38 ef a9 ec d2 ea 31 f0 36 e5 55 16 64 |..e8.....1.6.U.d| +| 10 7a be e9 7a 86 fe 86 42 2d e0 54 51 7a d2 d2 |.z..z...B-.TQz..| +| 8c 26 bc 7d f4 31 68 84 da d5 d1 e0 7c f5 8d b0 |.&.}.1h.....|...| +| 95 23 26 cf 3f a2 8e 99 47 72 70 52 06 c0 e6 a0 |.#&.?...GrpR....| +| ba 7e b6 88 b4 ac 22 8e dc fb b5 2e 42 41 68 97 |.~....".....BAh.| +| d7 43 88 3b fb b5 1d 88 35 71 b9 8a 4b 13 42 41 |.C.;....5q..K.BA| +| ce 25 7b 28 9a 9c 42 cf 10 5c 33 b1 18 36 21 50 |.%{(..B..\3..6!P| +| 32 7d 23 c4 eb 72 46 28 6b 0e f3 34 87 62 86 80 |2}#..rF(k..4.b..| +| 48 05 5e 3b 16 ce 79 e5 72 40 2a 98 05 c1 64 ac |H.^;..y.r@*...d.| +| fc d1 a2 4c 0e 9f a9 29 59 db b8 c1 70 8b 61 5c |...L...)Y...p.a\| +| 03 9f 35 32 81 22 f3 f6 3c 94 26 7a 9b 54 d6 c0 |..52."..<.&z.T..| +| 79 8e da 0f 0a ec 69 6d d8 20 c1 e4 a6 8e 32 38 |y.....im. ....28| +| f9 83 bc 24 bb 2d b4 fa 93 42 dc 28 14 ab a9 a0 |...$.-...B.(....| +| a3 b7 1a 26 bd 94 21 99 c2 f8 63 67 58 13 af 31 |...&..!...cgX..1| +| 2b a8 24 2c 26 74 db 2a 8a ed b6 c3 9d 8c 9b fb |+.$,&t.*........| +| 9c f7 35 da b2 0d 6a 0d 1e 47 98 7d 59 77 c9 04 |..5...j..G.}Yw..| +| bc 6b 23 3b 34 2d dc b1 dc e0 12 4d 8f 3b 94 8e |.k#;4-.....M.;..| +| ae 04 3a 7f 81 77 29 9c 36 ae cb 38 82 23 34 4c |..:..w).6..8.#4L| +| 26 47 66 1e a4 98 30 09 ef 04 e4 20 0c a0 8d 20 |&Gf...0.... ... | +| 04 30 2b 89 fd 8b 4e a5 c1 89 94 26 9c 8d ff 20 |.0+...N....&... | +| d0 4a 94 ca 14 77 83 82 3e f9 20 ea f6 79 dd d1 |.J...w..>. ..y..| +| 91 07 c4 |... | +ssl_decrypt_record: allocating 403 bytes for decrypt data (old len 113) +Plaintext[371]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:21 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 38 0d 0a 43 6f 6e 6e 65 63 74 |th: 148..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 33 20 2d 20 45 58 50 2d 52 |x00,0x03 - EXP-R| +| 43 34 2d 4d 44 35 20 20 20 20 20 20 20 20 20 20 |C4-MD5 | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 28 | SSLv3 Kx=RSA(| +| 35 31 32 29 20 41 75 3d 52 53 41 20 20 45 6e 63 |512) Au=RSA Enc| +| 3d 52 43 34 28 34 30 29 20 20 20 4d 61 63 3d 4d |=RC4(40) Mac=M| +| 44 35 20 20 65 78 70 6f 72 74 3c 73 63 72 69 70 |D5 exportdocument.domai| +| 6e 3d 27 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 |n='local.al.leke| +| 6e 73 74 65 79 6e 2e 6e 6c 27 3c 2f 73 63 72 69 |nsteyn.nl'RQH.._.......| +| 1a 50 21 |.P! | +checking mac (len 355, version 303, ct 23 seq 1) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 52 51 48 de ac 5f a5 8b e5 e5 c1 f4 cc 1a 50 21 |RQH.._........P!| +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 355, seq = 0, nxtseq = 355 +association_find: TCP port 4434 found 0x33e0300 +dissect_ssl3_record decrypted len 355 +decrypted app data fragment[355]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:21 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 38 0d 0a 43 6f 6e 6e 65 63 74 |th: 148..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 33 20 2d 20 45 58 50 2d 52 |x00,0x03 - EXP-R| +| 43 34 2d 4d 44 35 20 20 20 20 20 20 20 20 20 20 |C4-MD5 | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 28 | SSLv3 Kx=RSA(| +| 35 31 32 29 20 41 75 3d 52 53 41 20 20 45 6e 63 |512) Au=RSA Enc| +| 3d 52 43 34 28 34 30 29 20 20 20 4d 61 63 3d 4d |=RC4(40) Mac=M| +| 44 35 20 20 65 78 70 6f 72 74 3c 73 63 72 69 70 |D5 exportdocument.domai| +| 6e 3d 27 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 |n='local.al.leke| +| 6e 73 74 65 79 6e 2e 6e 6c 27 3c 2f 73 63 72 69 |nsteyn.nl' | +dissect_ssl3_record found association 0x33e0300 + +dissect_ssl enter frame #12 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 23 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 18, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 18 +Ciphertext[18]: +| da b3 f2 c9 8c 3c 23 e7 0f 61 46 08 02 c1 14 ec |.....<#..aF.....| +| 01 67 |.g | +Plaintext[18]: +| 01 00 7b 80 f5 df 00 d8 f2 a8 02 b5 7a 7e fc be |..{.........z~..| +| 3f e2 |?. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 7b 80 f5 df 00 d8 f2 a8 02 b5 7a 7e fc be 3f e2 |{.........z~..?.| +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #14 (first time) + conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 + record: offset = 0, reported_length_remaining = 23 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 18, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 18 +Ciphertext[18]: +| 3e 1c db e3 72 3b 7c 18 86 42 c6 6f 1b 27 31 c3 |>...r;|..B.o.'1.| +| 41 bb |A. | +Plaintext[18]: +| 01 00 2c 86 c2 ee 63 29 9a ec dc 1a 88 62 52 cb |..,...c).....bR.| +| b0 63 |.c | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 2c 86 c2 ee 63 29 9a ec dc 1a 88 62 52 cb b0 63 |,...c).....bR..c| +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #19 (first time) +ssl_session_init: initializing ptr 0x7fb94d3c8990 size 688 + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 317, ssl state 0x00 +association_find: TCP port 46377 found (nil) +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 +packet_from_server: is from server - FALSE +ssl_find_private_key server 127.0.0.1:4435 +ssl_find_private_key can't find private key for this server! Try it again with universal port 0 +ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 +ssl_find_private_key can't find any private key! +dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 + +dissect_ssl enter frame #21 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 884 +dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 58, ssl state 0x11 +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 +dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 +ssl_restore_session master key retrieved +dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x37 +dissect_ssl3_hnd_srv_hello trying to generate keys +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| +| 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| +| ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e d7 43 1a d3 74 c1 69 9d 8f 91 1d 24 10 70 e4 |n.C..t.i....$.p.| +| af d8 fb a7 c6 97 ae 5c 8f a1 2e c1 84 52 34 c6 |.......\.....R4.| +| 6e 95 f5 27 0d 00 e9 73 70 9a a0 b3 db d5 2a 80 |n..'...sp.....*.| +| 23 ca c5 5f f8 ff 18 26 2a b2 27 e6 98 |#.._...&*.'.. | +hash out[64]: +| 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| +| f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| +| 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| +| 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| +PRF out[64]: +| 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| +| f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| +| 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| +| 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| +key expansion[64]: +| 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| +| f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| +| 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| +| 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| +Client MAC key[16]: +| 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| +Server MAC key[16]: +| f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| +Client Write key[16]: +| 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| +Server Write key[16]: +| 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| +Client Write IV[8]: +| 01 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 60 e5 01 00 00 00 00 00 |`....... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material: client seq 0, server seq 0 + record: offset = 63, reported_length_remaining = 821 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 807, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 + record: offset = 875, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 4, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 14 offset 880 length 0 bytes, remaining 884 + +dissect_ssl enter frame #23 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 310 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 262, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8... +looking for RSA pre-master5c7d85e3e032812cad681d5e723f7c6f8dcc01f2a94eeb76... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC +found master secret in key log +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 32 58 f4 4e b7 00 be 97 76 40 04 ac 92 33 9c ad |2X.N....v@...3..| +| a4 3e 24 15 9e 56 7b 8d 41 69 ad bb c6 48 5f 75 |.>$..V{.Ai...H_u| +| 6c 51 f9 52 72 0b 99 fc 81 e1 6f d7 5c a8 86 dc |lQ.Rr.....o.\...| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e d7 43 1a d3 74 c1 69 9d 8f 91 1d 24 10 70 e4 |n.C..t.i....$.p.| +| af d8 fb a7 c6 97 ae 5c 8f a1 2e c1 84 52 34 c6 |.......\.....R4.| +| 6e 95 f5 27 0d 00 e9 73 70 9a a0 b3 db d5 2a 80 |n..'...sp.....*.| +| 23 ca c5 5f f8 ff 18 26 2a b2 27 e6 98 |#.._...&*.'.. | +hash out[64]: +| da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| +| 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| +| b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| +| 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| +PRF out[64]: +| da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| +| 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| +| b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| +| 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| +key expansion[64]: +| da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| +| 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| +| b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| +| 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| +Client MAC key[16]: +| da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| +Server MAC key[16]: +| 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| +Client Write key[16]: +| b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| +Server Write key[16]: +| 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| +Client Write IV[8]: +| 00 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 40 35 72 03 00 00 00 00 |@5r..... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 16) +ssl_generate_keyring_material: client seq 0, server seq 0 +ssl_save_session stored session id[0]: +ssl_save_session stored master secret[48]: +| 32 58 f4 4e b7 00 be 97 76 40 04 ac 92 33 9c ad |2X.N....v@...3..| +| a4 3e 24 15 9e 56 7b 8d 41 69 ad bb c6 48 5f 75 |.>$..V{.Ai...H_u| +| 6c 51 f9 52 72 0b 99 fc 81 e1 6f d7 5c a8 86 dc |lQ.Rr.....o.\...| +dissect_ssl3_handshake session keys successfully generated + record: offset = 267, reported_length_remaining = 43 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - FALSE +ssl_change_cipher CLIENT + record: offset = 273, reported_length_remaining = 37 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 32, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 32 +Ciphertext[32]: +| cd 13 7c 44 06 c1 d8 20 05 68 18 b9 19 de fa 2c |..|D... .h.....,| +| fc 7f 56 52 9e fa dd 4d f0 66 f6 2b 82 74 35 c8 |..VR...M.f.+.t5.| +Plaintext[32]: +| 14 00 00 0c 1c c5 ec 96 91 37 21 ff b5 78 8b 2c |.........7!..x.,| +| 9a 85 7c 30 84 d1 50 9e 7c 94 20 06 eb 82 a0 b5 |..|0..P.|. .....| +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 9a 85 7c 30 84 d1 50 9e 7c 94 20 06 eb 82 a0 b5 |..|0..P.|. .....| +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #24 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 218 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 170, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 43 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - TRUE +ssl_change_cipher SERVER + record: offset = 181, reported_length_remaining = 37 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 32, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 32 +Ciphertext[32]: +| 37 a4 a3 75 8d 1d 58 aa 31 e1 9a ee ce 24 67 90 |7..u..X.1....$g.| +| d7 e8 17 68 54 f3 2a 3f 6e bb 0f 3a 09 bd 6d f5 |...hT.*?n..:..m.| +Plaintext[32]: +| 14 00 00 0c 26 c6 0d b2 a4 e4 c2 16 2f dc 1b be |....&......./...| +| b5 5b 3e 15 e5 0a ff 69 76 a9 a6 e4 9a ee ea eb |.[>....iv.......| +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| b5 5b 3e 15 e5 0a ff 69 76 a9 a6 e4 9a ee ea eb |.[>....iv.......| +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #25 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 82 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 77, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 77 +Ciphertext[77]: +| 80 11 09 85 d8 83 32 e1 3e a9 fc 2c 6c 54 e3 04 |......2.>..,lT..| +| ed 3e ec 67 32 db c4 98 61 87 84 97 5d a5 c0 10 |.>.g2...a...]...| +| 7b a3 6a 5d 1a 3a 10 cb d7 1b 6d ca 84 18 e2 ec |{.j].:....m.....| +| 16 45 42 25 cb cf 97 21 4b 17 6c 6c 5a 4c db a2 |.EB%...!K.llZL..| +| 5d c5 79 64 8f c5 48 55 6e 8e a6 d0 5b |].yd..HUn...[ | +Plaintext[77]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 72 63 34 2d 6d 64 35 2e 6c 6f |Host: rc4-md5.lo| +| 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| +| 6e 2e 6e 6c 3a 34 34 33 35 0d 0a 0d 0a df 81 bb |n.nl:4435.......| +| cf b7 ed 05 96 13 fa 20 77 15 a8 f4 5f |....... w..._ | +checking mac (len 61, version 303, ct 23 seq 1) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| df 81 bb cf b7 ed 05 96 13 fa 20 77 15 a8 f4 5f |.......... w..._| +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 61, seq = 0, nxtseq = 61 +association_find: TCP port 46377 found (nil) +association_find: TCP port 4435 found 0x340ba90 +dissect_ssl3_record decrypted len 61 +decrypted app data fragment[61]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 72 63 34 2d 6d 64 35 2e 6c 6f |Host: rc4-md5.lo| +| 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| +| 6e 2e 6e 6c 3a 34 34 33 35 0d 0a 0d 0a |n.nl:4435.... | +dissect_ssl3_record found association 0x340ba90 + +dissect_ssl enter frame #26 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 368 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 363, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 363 +Ciphertext[363]: +| 9d 31 a9 72 6f 31 65 cc e6 0f dd 06 e9 c4 90 46 |.1.ro1e........F| +| bf e9 b2 ff 35 5d ad 46 f0 94 78 48 8b 35 c3 b7 |....5].F..xH.5..| +| ee 74 62 6c 42 68 91 39 4b 6e e2 18 eb 9b 3b 86 |.tblBh.9Kn....;.| +| 08 40 0a 6a 2a 52 68 14 45 9d 2b 68 6c 82 c3 df |.@.j*Rh.E.+hl...| +| e2 1e 02 f5 2f 73 4e 2c 01 72 35 7d bd 5c 82 84 |..../sN,.r5}.\..| +| c4 9e 8b f2 68 0c df 27 43 1e 3d d8 90 37 a6 0b |....h..'C.=..7..| +| 49 65 15 16 de 89 a1 68 be 58 b5 13 8f 8e ea e5 |Ie.....h.X......| +| f1 1e bf e5 76 73 f5 f8 a3 98 17 01 ed 26 92 2f |....vs.......&./| +| 82 d2 26 57 b0 25 5e f5 80 d0 8b c9 c0 50 a4 f9 |..&W.%^......P..| +| 1e a9 a6 fd 68 51 4b 03 31 ca 66 64 6b 99 e4 92 |....hQK.1.fdk...| +| 30 5d e0 40 54 53 a9 17 7d 6a 29 03 78 46 0f 54 |0].@TS..}j).xF.T| +| e5 da b9 26 09 1b 1f d5 91 d7 c8 27 74 ab 5a d4 |...&.......'t.Z.| +| 08 d3 4a 68 fc 66 8c d5 04 17 fc 26 29 d7 f4 e6 |..Jh.f.....&)...| +| 8c 36 cc f0 36 4e 58 92 39 2e 7f 02 5c 0e 14 f7 |.6..6NX.9...\...| +| 71 36 4a 52 77 66 c5 bf ce 6d b4 ae 1a 6a a4 c3 |q6JRwf...m...j..| +| 34 c2 ad e2 e0 b2 bd c4 40 80 2c 75 30 b4 d7 ca |4.......@.,u0...| +| e9 43 23 b9 df f8 83 ec 4c 39 0c 57 ca b9 be 93 |.C#.....L9.W....| +| a4 72 b8 50 ad 70 e1 0d a8 06 be 5c fb 49 eb 20 |.r.P.p.....\.I. | +| 91 8c 13 b4 20 d3 85 be f3 7b ef fa d6 70 fa 7e |.... ....{...p.~| +| 02 55 69 2e a2 48 2c ff 43 95 a8 4e ce 77 04 3f |.Ui..H,.C..N.w.?| +| cc 33 58 1a 48 0e 61 09 e2 01 dc ae 0a e2 21 bd |.3X.H.a.......!.| +| cd c1 45 41 fa 1d c6 b4 59 54 d7 ea 14 b8 17 e9 |..EA....YT......| +| 4e f2 e3 1d 3e df 76 62 76 0d 56 |N...>.vbv.V | +Plaintext[363]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 30 0d 0a 43 6f 6e 6e 65 63 74 |th: 140..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 34 20 2d 20 52 43 34 2d 4d |x00,0x04 - RC4-M| +| 44 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |D5 | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | +| 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| +| 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 4d |=RC4(128) Mac=M| +| 44 35 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 |D5K.8.e| +| 25 b2 1d 2b 29 2c ec 29 84 d6 e4 |%..+),.)... | +checking mac (len 347, version 303, ct 23 seq 1) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| 4b 9b 38 c6 65 25 b2 1d 2b 29 2c ec 29 84 d6 e4 |K.8.e%..+),.)...| +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 347, seq = 0, nxtseq = 347 +association_find: TCP port 4435 found 0x340ba90 +dissect_ssl3_record decrypted len 347 +decrypted app data fragment[347]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 30 0d 0a 43 6f 6e 6e 65 63 74 |th: 140..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 34 20 2d 20 52 43 34 2d 4d |x00,0x04 - RC4-M| +| 44 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |D5 | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | +| 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| +| 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 4d |=RC4(128) Mac=M| +| 44 35 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 |D5 | +dissect_ssl3_record found association 0x340ba90 + +dissect_ssl enter frame #27 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 23 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 18, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 18 +Ciphertext[18]: +| 8b d3 bc 5f 0f 8a 63 dc 48 90 44 36 0c 5f 4a 4b |..._..c.H.D6._JK| +| de e7 |.. | +Plaintext[18]: +| 01 00 eb 37 74 a3 74 7b 97 70 36 84 93 d4 35 8d |...7t.t{.p6...5.| +| 48 fa |H. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| eb 37 74 a3 74 7b 97 70 36 84 93 d4 35 8d 48 fa |.7t.t{.p6...5.H.| +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #29 (first time) + conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 + record: offset = 0, reported_length_remaining = 23 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 18, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 18 +Ciphertext[18]: +| c2 00 b3 23 f2 b1 5c ce 4e 36 34 da 09 d9 db a8 |...#..\.N64.....| +| 96 aa |.. | +Plaintext[18]: +| 01 00 ff 5e c9 f6 a9 91 d0 5d be 8a 25 01 90 f0 |...^.....]..%...| +| e0 1e |.. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:MD5 md 1 +Mac[16]: +| ff 5e c9 f6 a9 91 d0 5d be 8a 25 01 90 f0 e0 1e |.^.....]..%.....| +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #34 (first time) +ssl_session_init: initializing ptr 0x7fb94d3cb310 size 688 + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 317, ssl state 0x00 +association_find: TCP port 52730 found (nil) +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 +packet_from_server: is from server - FALSE +ssl_find_private_key server 127.0.0.1:4436 +ssl_find_private_key can't find private key for this server! Try it again with universal port 0 +ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 +ssl_find_private_key can't find any private key! +dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 + +dissect_ssl enter frame #36 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 884 +dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 58, ssl state 0x11 +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 +dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 +ssl_restore_session master key retrieved +dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x37 +dissect_ssl3_hnd_srv_hello trying to generate keys +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 32 58 f4 4e b7 00 be 97 76 40 04 ac 92 33 9c ad |2X.N....v@...3..| +| a4 3e 24 15 9e 56 7b 8d 41 69 ad bb c6 48 5f 75 |.>$..V{.Ai...H_u| +| 6c 51 f9 52 72 0b 99 fc 81 e1 6f d7 5c a8 86 dc |lQ.Rr.....o.\...| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e 03 5f 0c dd bb 9b 4d 52 be c2 3d 49 e5 86 91 |n._....MR..=I...| +| e0 cc e1 bd e6 b4 de d5 68 c8 c8 2a 76 52 34 c6 |........h..*vR4.| +| 6e ee 73 fe a2 1e b7 ef 62 cf 26 4d 20 5d 6f cd |n.s.....b.&M ]o.| +| 78 41 f9 49 ad f8 0b c6 c7 03 e4 c2 64 |xA.I........d | +hash out[72]: +| 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| +| 92 a4 b2 4a e4 22 d2 1a 53 22 39 3d 08 18 e6 10 |...J."..S"9=....| +| ba 42 47 a2 b6 eb df 73 9a 0a 86 f4 b7 b7 70 a5 |.BG....s......p.| +| 50 e5 77 82 fa 0f 72 b9 8a 94 32 33 a1 ca 17 0d |P.w...r...23....| +| 16 5f 58 ed 13 27 6b 2c |._X..'k, | +PRF out[72]: +| 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| +| 92 a4 b2 4a e4 22 d2 1a 53 22 39 3d 08 18 e6 10 |...J."..S"9=....| +| ba 42 47 a2 b6 eb df 73 9a 0a 86 f4 b7 b7 70 a5 |.BG....s......p.| +| 50 e5 77 82 fa 0f 72 b9 8a 94 32 33 a1 ca 17 0d |P.w...r...23....| +| 16 5f 58 ed 13 27 6b 2c |._X..'k, | +key expansion[72]: +| 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| +| 92 a4 b2 4a e4 22 d2 1a 53 22 39 3d 08 18 e6 10 |...J."..S"9=....| +| ba 42 47 a2 b6 eb df 73 9a 0a 86 f4 b7 b7 70 a5 |.BG....s......p.| +| 50 e5 77 82 fa 0f 72 b9 8a 94 32 33 a1 ca 17 0d |P.w...r...23....| +| 16 5f 58 ed 13 27 6b 2c |._X..'k, | +Client MAC key[20]: +| 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| +| 92 a4 b2 4a |...J | +Server MAC key[20]: +| e4 22 d2 1a 53 22 39 3d 08 18 e6 10 ba 42 47 a2 |."..S"9=.....BG.| +| b6 eb df 73 |...s | +Client Write key[16]: +| 9a 0a 86 f4 b7 b7 70 a5 50 e5 77 82 fa 0f 72 b9 |......p.P.w...r.| +Server Write key[16]: +| 8a 94 32 33 a1 ca 17 0d 16 5f 58 ed 13 27 6b 2c |..23....._X..'k,| +Client Write IV[8]: +| 01 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 10 00 00 00 00 00 00 00 |........ | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 + record: offset = 63, reported_length_remaining = 821 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 807, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 + record: offset = 875, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 4, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 14 offset 880 length 0 bytes, remaining 884 + +dissect_ssl enter frame #38 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 314 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 262, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949ad... +looking for RSA pre-master81b73b11c7b8f3cdc9b65b236e4d4f630477be9fc85f6b31... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 +found master secret in key log +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 73 72 51 78 33 5f 5d ff 05 25 c6 48 0d c4 a0 ef |srQx3_]..%.H....| +| 91 70 69 e4 18 dd 54 16 7a 64 c2 67 d9 3c 5b 64 |.pi...T.zd.g.<[d| +| 08 83 a2 c8 0b 60 d4 50 1f 40 e4 42 86 c1 bf 98 |.....`.P.@.B....| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e 03 5f 0c dd bb 9b 4d 52 be c2 3d 49 e5 86 91 |n._....MR..=I...| +| e0 cc e1 bd e6 b4 de d5 68 c8 c8 2a 76 52 34 c6 |........h..*vR4.| +| 6e ee 73 fe a2 1e b7 ef 62 cf 26 4d 20 5d 6f cd |n.s.....b.&M ]o.| +| 78 41 f9 49 ad f8 0b c6 c7 03 e4 c2 64 |xA.I........d | +hash out[72]: +| d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| +| aa 64 01 73 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 |.d.s.mMp... ....| +| 15 5a bf ca 6e 9f 2f a9 80 3a 86 f8 5f 45 9c 1c |.Z..n./..:.._E..| +| 2c 55 cf d1 9c d3 94 8b fb 82 d7 a2 18 e9 ba 36 |,U.............6| +| 28 0b 13 72 96 1b 2e 90 |(..r.... | +PRF out[72]: +| d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| +| aa 64 01 73 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 |.d.s.mMp... ....| +| 15 5a bf ca 6e 9f 2f a9 80 3a 86 f8 5f 45 9c 1c |.Z..n./..:.._E..| +| 2c 55 cf d1 9c d3 94 8b fb 82 d7 a2 18 e9 ba 36 |,U.............6| +| 28 0b 13 72 96 1b 2e 90 |(..r.... | +key expansion[72]: +| d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| +| aa 64 01 73 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 |.d.s.mMp... ....| +| 15 5a bf ca 6e 9f 2f a9 80 3a 86 f8 5f 45 9c 1c |.Z..n./..:.._E..| +| 2c 55 cf d1 9c d3 94 8b fb 82 d7 a2 18 e9 ba 36 |,U.............6| +| 28 0b 13 72 96 1b 2e 90 |(..r.... | +Client MAC key[20]: +| d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| +| aa 64 01 73 |.d.s | +Server MAC key[20]: +| 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 15 5a bf ca |.mMp... .....Z..| +| 6e 9f 2f a9 |n./. | +Client Write key[16]: +| 80 3a 86 f8 5f 45 9c 1c 2c 55 cf d1 9c d3 94 8b |.:.._E..,U......| +Server Write key[16]: +| fb 82 d7 a2 18 e9 ba 36 28 0b 13 72 96 1b 2e 90 |.......6(..r....| +Client Write IV[8]: +| 00 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 20 33 72 03 00 00 00 00 | 3r..... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 +ssl_save_session stored session id[0]: +ssl_save_session stored master secret[48]: +| 73 72 51 78 33 5f 5d ff 05 25 c6 48 0d c4 a0 ef |srQx3_]..%.H....| +| 91 70 69 e4 18 dd 54 16 7a 64 c2 67 d9 3c 5b 64 |.pi...T.zd.g.<[d| +| 08 83 a2 c8 0b 60 d4 50 1f 40 e4 42 86 c1 bf 98 |.....`.P.@.B....| +dissect_ssl3_handshake session keys successfully generated + record: offset = 267, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - FALSE +ssl_change_cipher CLIENT + record: offset = 273, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| 9a 28 45 a2 18 36 ca df 0f 06 cb e1 f8 ac 1f 72 |.(E..6.........r| +| 61 fc cd e5 e8 4a 59 be 88 23 ba b9 ce 01 22 4b |a....JY..#...."K| +| 26 c2 b7 4b |&..K | +Plaintext[36]: +| 14 00 00 0c a8 e5 48 ad 86 e9 b3 0a 61 aa 2e f0 |......H.....a...| +| 68 8f 93 ca 4c 02 35 40 cc eb de bb 03 cf 4c 53 |h...L.5@......LS| +| ff 57 38 58 |.W8X | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 68 8f 93 ca 4c 02 35 40 cc eb de bb 03 cf 4c 53 |h...L.5@......LS| +| ff 57 38 58 |.W8X | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #39 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 222 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 170, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - TRUE +ssl_change_cipher SERVER + record: offset = 181, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| ea 17 35 2b f9 58 60 e8 da 99 8e 50 0e 34 8b c3 |..5+.X`....P.4..| +| 90 f3 f0 c0 2e 43 29 42 93 d9 15 c6 f8 76 b1 0c |.....C)B.....v..| +| 83 62 f3 a3 |.b.. | +Plaintext[36]: +| 14 00 00 0c 07 14 b5 ea 5b fc 04 34 bf aa bc 8d |........[..4....| +| 1a 7d 3a 11 37 05 ae b4 58 98 3d 8a 76 84 70 42 |.}:.7...X.=.v.pB| +| 51 3a a0 9e |Q:.. | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 1a 7d 3a 11 37 05 ae b4 58 98 3d 8a 76 84 70 42 |.}:.7...X.=.v.pB| +| 51 3a a0 9e |Q:.. | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #40 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 86 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 81, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 81 +Ciphertext[81]: +| 00 a0 49 01 52 e5 5b d2 dd 5d 2e 50 04 21 e0 60 |..I.R.[..].P.!.`| +| e8 36 52 91 2d c6 c0 8a fd 03 fb cf 58 39 f6 e4 |.6R.-.......X9..| +| 80 91 d7 8a cc 56 0b 3e 1f bd 05 2e 27 a7 23 a2 |.....V.>....'.#.| +| c6 f5 1b 68 45 d4 49 05 e2 8a 6b 21 e5 9a e2 b5 |...hE.I...k!....| +| 92 49 f4 9f 1a 6a b5 26 41 85 2d 81 0f 56 a7 fd |.I...j.&A.-..V..| +| 50 |P | +Plaintext[81]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 72 63 34 2d 73 68 61 2e 6c 6f |Host: rc4-sha.lo| +| 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| +| 6e 2e 6e 6c 3a 34 34 33 36 0d 0a 0d 0a 5d b3 6a |n.nl:4436....].j| +| f8 c1 ad 06 d8 26 c8 30 4d b4 2e cb ea 0d d1 b3 |.....&.0M.......| +| 41 |A | +checking mac (len 61, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 5d b3 6a f8 c1 ad 06 d8 26 c8 30 4d b4 2e cb ea |].j.....&.0M....| +| 0d d1 b3 41 |...A | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 61, seq = 0, nxtseq = 61 +association_find: TCP port 52730 found (nil) +association_find: TCP port 4436 found 0x34146c0 +dissect_ssl3_record decrypted len 61 +decrypted app data fragment[61]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 72 63 34 2d 73 68 61 2e 6c 6f |Host: rc4-sha.lo| +| 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| +| 6e 2e 6e 6c 3a 34 34 33 36 0d 0a 0d 0a |n.nl:4436.... | +dissect_ssl3_record found association 0x34146c0 + +dissect_ssl enter frame #41 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 373 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 368, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 368 +Ciphertext[368]: +| 5d 7a 6a f6 d1 64 34 31 94 c4 2a fd 4c 12 30 51 |]zj..d41..*.L.0Q| +| a0 3b 2c fa 77 25 e0 b1 d2 7a 1d e8 69 81 0a bf |.;,.w%...z..i...| +| 04 80 32 86 9b a6 81 a4 58 32 39 99 5e 0f 6a a9 |..2.....X29.^.j.| +| 8c ce 7f 01 34 72 09 82 98 69 ec f7 b5 e5 4a 36 |....4r...i....J6| +| 14 f2 db d3 08 22 2c 76 89 cb ae 2b 42 b3 c7 41 |.....",v...+B..A| +| 07 5c 64 5a b4 3c bd df 17 ad 84 cd 4f 31 c9 33 |.\dZ.<......O1.3| +| 13 6f 26 3a c0 7d e5 12 91 12 77 f6 1c bf 87 be |.o&:.}....w.....| +| 16 6e 4c bb 27 83 63 b9 cb aa b6 99 2e c1 db d6 |.nL.'.c.........| +| 96 3d dc cf f1 53 6c b8 c5 36 f3 4d b7 99 47 e4 |.=...Sl..6.M..G.| +| 4e 6a bb 3f 90 18 d4 de 2f 83 b5 1d 72 ac bb 1c |Nj.?..../...r...| +| 26 7c 0f 94 53 39 45 d4 dc 72 67 24 2f 1c 43 17 |&|..S9E..rg$/.C.| +| f5 f8 08 49 7f 6c 6d de 7f ce 67 e7 8d c6 01 fc |...I.lm...g.....| +| 0c a7 7b df 11 20 70 d3 2e 90 ed c6 b4 12 43 5b |..{.. p.......C[| +| 74 8d 9b 56 83 52 c0 b8 22 75 ab a4 12 89 d0 09 |t..V.R.."u......| +| a3 5c fc 86 88 31 d6 86 eb 1c 96 36 2d 40 cc ee |.\...1.....6-@..| +| 55 f8 4c 46 44 74 7a 6f a3 68 e2 00 2f 7f e8 3e |U.LFDtzo.h../..>| +| 9f 67 8a f6 14 b0 f2 08 c7 c5 10 b0 ab af 91 6b |.g.............k| +| c5 0a 0a 66 26 32 aa 1a bc 02 34 ee e4 6b 19 3c |...f&2....4..k.<| +| 84 b8 d7 7b 8a f7 e2 ec 89 b3 bc 95 95 48 ce 25 |...{.........H.%| +| 8d bb 43 11 9c e2 1b b7 fd 2d 13 b5 23 d9 e2 c4 |..C......-..#...| +| e3 0f 78 13 98 07 e3 00 41 5b 35 3e 77 24 6b b2 |..x.....A[5>w$k.| +| 72 09 68 37 db dc b4 6e c0 3d a3 72 a6 38 3d fc |r.h7...n.=.r.8=.| +| 7e 4f 8c e1 9b 35 96 27 17 95 c3 25 e2 64 05 b2 |~O...5.'...%.d..| +Plaintext[368]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 35 20 2d 20 52 43 34 2d 53 |x00,0x05 - RC4-S| +| 48 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |HA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | +| 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| +| 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| +| 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1.D.3| +| 48 df 21 8c ac 16 a0 b8 88 17 9e 10 6c 8e 97 a4 |H.!.........l...| +checking mac (len 348, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| c8 44 c0 33 48 df 21 8c ac 16 a0 b8 88 17 9e 10 |.D.3H.!.........| +| 6c 8e 97 a4 |l... | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 348, seq = 0, nxtseq = 348 +association_find: TCP port 4436 found 0x34146c0 +dissect_ssl3_record decrypted len 348 +decrypted app data fragment[348]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 35 20 2d 20 52 43 34 2d 53 |x00,0x05 - RC4-S| +| 48 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |HA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | +| 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| +| 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| +| 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1 | +dissect_ssl3_record found association 0x34146c0 + +dissect_ssl enter frame #42 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| 76 a6 49 15 74 b7 6c 75 86 25 b6 68 c9 28 a8 08 |v.I.t.lu.%.h.(..| +| 7c 93 8e 21 6e 71 ||..!nq | +Plaintext[22]: +| 01 00 e1 71 41 33 bd 7d 3a e6 f8 91 96 75 9c 6c |...qA3.}:....u.l| +| fe a7 79 43 a9 29 |..yC.) | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| e1 71 41 33 bd 7d 3a e6 f8 91 96 75 9c 6c fe a7 |.qA3.}:....u.l..| +| 79 43 a9 29 |yC.) | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #44 (first time) + conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| 85 5f c9 88 56 9b f5 56 9e 2f 7d 1d ba a9 dd 62 |._..V..V./}....b| +| 2d 1d f7 3c 38 20 |-..<8 | +Plaintext[22]: +| 01 00 e1 7f c8 d2 69 cf 40 26 15 f8 cf f2 d3 54 |......i.@&.....T| +| c3 1d 4b 22 05 da |..K".. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| e1 7f c8 d2 69 cf 40 26 15 f8 cf f2 d3 54 c3 1d |....i.@&.....T..| +| 4b 22 05 da |K".. | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #49 (first time) +ssl_session_init: initializing ptr 0x7fb94d3cdcd0 size 688 + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 317, ssl state 0x00 +association_find: TCP port 34339 found (nil) +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 +packet_from_server: is from server - FALSE +ssl_find_private_key server 127.0.0.1:4479 +ssl_find_private_key can't find private key for this server! Try it again with universal port 0 +ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 +ssl_find_private_key can't find any private key! +dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 + +dissect_ssl enter frame #51 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 565 +dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 66, ssl state 0x11 +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 +dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 +ssl_restore_session master key retrieved +dissect_ssl3_hnd_srv_hello found CIPHER 0xC002 -> state 0x37 +dissect_ssl3_hnd_srv_hello trying to generate keys +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 73 72 51 78 33 5f 5d ff 05 25 c6 48 0d c4 a0 ef |srQx3_]..%.H....| +| 91 70 69 e4 18 dd 54 16 7a 64 c2 67 d9 3c 5b 64 |.pi...T.zd.g.<[d| +| 08 83 a2 c8 0b 60 d4 50 1f 40 e4 42 86 c1 bf 98 |.....`.P.@.B....| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e d0 98 28 f0 59 7a c3 02 34 4b 0c 01 62 2e a0 |n..(.Yz..4K..b..| +| 95 76 0e c4 17 a1 04 18 28 95 f9 d8 f4 52 34 c6 |.v......(....R4.| +| 6e 96 87 63 98 ad 6e cf f1 b3 ff b7 58 71 9b b5 |n..c..n.....Xq..| +| 12 58 ea ea 31 bb 97 a4 be 4e 7e ca 41 |.X..1....N~.A | +hash out[72]: +| 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| +| aa 40 26 bf 47 c2 72 62 3b 95 e4 37 ee 96 29 ea |.@&.G.rb;..7..).| +| 10 6c fd 76 43 3d 8d 05 21 cc 4a fd 77 80 7a d2 |.l.vC=..!.J.w.z.| +| cc 5a aa 90 9d 82 87 37 74 41 8f b8 14 82 38 c1 |.Z.....7tA....8.| +| 33 27 cf 58 57 82 01 99 |3'.XW... | +PRF out[72]: +| 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| +| aa 40 26 bf 47 c2 72 62 3b 95 e4 37 ee 96 29 ea |.@&.G.rb;..7..).| +| 10 6c fd 76 43 3d 8d 05 21 cc 4a fd 77 80 7a d2 |.l.vC=..!.J.w.z.| +| cc 5a aa 90 9d 82 87 37 74 41 8f b8 14 82 38 c1 |.Z.....7tA....8.| +| 33 27 cf 58 57 82 01 99 |3'.XW... | +key expansion[72]: +| 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| +| aa 40 26 bf 47 c2 72 62 3b 95 e4 37 ee 96 29 ea |.@&.G.rb;..7..).| +| 10 6c fd 76 43 3d 8d 05 21 cc 4a fd 77 80 7a d2 |.l.vC=..!.J.w.z.| +| cc 5a aa 90 9d 82 87 37 74 41 8f b8 14 82 38 c1 |.Z.....7tA....8.| +| 33 27 cf 58 57 82 01 99 |3'.XW... | +Client MAC key[20]: +| 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| +| aa 40 26 bf |.@&. | +Server MAC key[20]: +| 47 c2 72 62 3b 95 e4 37 ee 96 29 ea 10 6c fd 76 |G.rb;..7..)..l.v| +| 43 3d 8d 05 |C=.. | +Client Write key[16]: +| 21 cc 4a fd 77 80 7a d2 cc 5a aa 90 9d 82 87 37 |!.J.w.z..Z.....7| +Server Write key[16]: +| 74 41 8f b8 14 82 38 c1 33 27 cf 58 57 82 01 99 |tA....8.3'.XW...| +Client Write IV[8]: +| 01 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 14 00 00 00 00 00 00 00 |........ | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 + record: offset = 71, reported_length_remaining = 494 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 480, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 11 offset 76 length 476 bytes, remaining 556 + record: offset = 556, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 4, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 14 offset 561 length 0 bytes, remaining 565 + +dissect_ssl enter frame #53 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 154 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 102, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, remaining 107 +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31... +looking for RSA pre-master610430861bf4e0270fda641c54975775efa90f1ac7a0b59c... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e035f0cddbb9b4d52bec23d49e58691e0cce1bde6b4ded568c8c82a76 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed09828f0597ac302344b0c01622ea095760ec417a104182895f9d8f4 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31bb97a4be4e7eca41 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 +found master secret in key log +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 26 f0 86 78 b7 11 5a 89 88 62 d8 c3 ee 82 7e 1b |&..x..Z..b....~.| +| 8a 13 4c 43 f2 18 b1 e5 4e d0 27 69 2f 89 1a 40 |..LC....N.'i/..@| +| 5e 53 2d f1 f5 3b df 6e 44 3d 5a d2 33 cd e0 63 |^S-..;.nD=Z.3..c| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e d0 98 28 f0 59 7a c3 02 34 4b 0c 01 62 2e a0 |n..(.Yz..4K..b..| +| 95 76 0e c4 17 a1 04 18 28 95 f9 d8 f4 52 34 c6 |.v......(....R4.| +| 6e 96 87 63 98 ad 6e cf f1 b3 ff b7 58 71 9b b5 |n..c..n.....Xq..| +| 12 58 ea ea 31 bb 97 a4 be 4e 7e ca 41 |.X..1....N~.A | +hash out[72]: +| 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| +| ba 2d 46 7c 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 |.-F|,...JViQ..B.| +| 45 33 f2 5f ee 4c d8 95 32 5c aa 6c b5 70 c5 47 |E3._.L..2\.l.p.G| +| 80 ea f3 5b 4f 17 53 24 55 e8 95 1e e2 7c 32 6b |...[O.S$U....|2k| +| 59 62 5c 79 64 7f b9 11 |Yb\yd... | +PRF out[72]: +| 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| +| ba 2d 46 7c 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 |.-F|,...JViQ..B.| +| 45 33 f2 5f ee 4c d8 95 32 5c aa 6c b5 70 c5 47 |E3._.L..2\.l.p.G| +| 80 ea f3 5b 4f 17 53 24 55 e8 95 1e e2 7c 32 6b |...[O.S$U....|2k| +| 59 62 5c 79 64 7f b9 11 |Yb\yd... | +key expansion[72]: +| 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| +| ba 2d 46 7c 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 |.-F|,...JViQ..B.| +| 45 33 f2 5f ee 4c d8 95 32 5c aa 6c b5 70 c5 47 |E3._.L..2\.l.p.G| +| 80 ea f3 5b 4f 17 53 24 55 e8 95 1e e2 7c 32 6b |...[O.S$U....|2k| +| 59 62 5c 79 64 7f b9 11 |Yb\yd... | +Client MAC key[20]: +| 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| +| ba 2d 46 7c |.-F| | +Server MAC key[20]: +| 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 45 33 f2 5f |,...JViQ..B.E3._| +| ee 4c d8 95 |.L.. | +Client Write key[16]: +| 32 5c aa 6c b5 70 c5 47 80 ea f3 5b 4f 17 53 24 |2\.l.p.G...[O.S$| +Server Write key[16]: +| 55 e8 95 1e e2 7c 32 6b 59 62 5c 79 64 7f b9 11 |U....|2kYb\yd...| +Client Write IV[8]: +| 00 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 40 35 72 03 00 00 00 00 |@5r..... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 +ssl_save_session stored session id[0]: +ssl_save_session stored master secret[48]: +| 26 f0 86 78 b7 11 5a 89 88 62 d8 c3 ee 82 7e 1b |&..x..Z..b....~.| +| 8a 13 4c 43 f2 18 b1 e5 4e d0 27 69 2f 89 1a 40 |..LC....N.'i/..@| +| 5e 53 2d f1 f5 3b df 6e 44 3d 5a d2 33 cd e0 63 |^S-..;.nD=Z.3..c| +dissect_ssl3_handshake session keys successfully generated + record: offset = 107, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - FALSE +ssl_change_cipher CLIENT + record: offset = 113, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| a2 fd ba 64 ac e8 7b c0 7a 93 47 74 de 21 a2 93 |...d..{.z.Gt.!..| +| c3 cf db 1d d7 cd 9e 4f f8 ca e7 a1 24 53 fc c7 |.......O....$S..| +| d1 1f bd e0 |.... | +Plaintext[36]: +| 14 00 00 0c 18 e1 7d 86 d2 d5 60 d4 2f c4 75 f0 |......}...`./.u.| +| 48 8c a4 13 53 8b 44 61 74 28 05 8c ff f4 a2 b1 |H...S.Dat(......| +| d6 d2 0f a3 |.... | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 48 8c a4 13 53 8b 44 61 74 28 05 8c ff f4 a2 b1 |H...S.Dat(......| +| d6 d2 0f a3 |.... | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #54 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 222 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 170, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - TRUE +ssl_change_cipher SERVER + record: offset = 181, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| 54 39 01 fe 8c ea a6 9e 0f d6 57 cd d0 e1 e8 e3 |T9........W.....| +| 5d c4 a1 f3 88 41 5f 84 91 c0 cc 6b 6e 82 7d 92 |]....A_....kn.}.| +| 38 24 27 2b |8$'+ | +Plaintext[36]: +| 14 00 00 0c 41 cd 0b 8c 33 75 d4 e1 2b 4c 86 b3 |....A...3u..+L..| +| 05 8b 4f f4 80 aa 34 b0 d2 be 77 15 a9 e4 3f d6 |..O...4...w...?.| +| 91 ab d5 44 |...D | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 05 8b 4f f4 80 aa 34 b0 d2 be 77 15 a9 e4 3f d6 |..O...4...w...?.| +| 91 ab d5 44 |...D | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #55 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 97 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 92, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 92 +Ciphertext[92]: +| a3 d9 60 9b a2 2e 07 ce b1 38 1c e7 50 cc eb f0 |..`......8..P...| +| 69 a7 e0 0c 31 e4 2e cc e7 39 d3 fd c4 6a aa ce |i...1....9...j..| +| a1 4d 56 44 79 6f bb 92 6e b6 8b d6 c7 b6 87 ae |.MVDyo..n.......| +| 3f 52 6c b8 dd 10 17 7d 09 df 8c f3 e6 ee 4a 1a |?Rl....}......J.| +| ee d0 95 c1 13 f4 58 9a 05 82 57 34 8e c6 b1 d5 |......X...W4....| +| bc 10 ea 01 34 b4 79 6f ea 52 d4 4a |....4.yo.R.J | +Plaintext[92]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 63 64 68 2d 65 63 64 73 61 |Host: ecdh-ecdsa| +| 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 |-rc4-sha.local.a| +| 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a |l.lekensteyn.nl:| +| 34 34 37 39 0d 0a 0d 0a 71 47 69 bd 1c 52 6e a6 |4479....qGi..Rn.| +| 8b 71 98 6f d6 71 57 e7 69 ad 81 1d |.q.o.qW.i... | +checking mac (len 72, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 71 47 69 bd 1c 52 6e a6 8b 71 98 6f d6 71 57 e7 |qGi..Rn..q.o.qW.| +| 69 ad 81 1d |i... | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 72, seq = 0, nxtseq = 72 +association_find: TCP port 34339 found (nil) +association_find: TCP port 4479 found 0x34178c0 +dissect_ssl3_record decrypted len 72 +decrypted app data fragment[72]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 63 64 68 2d 65 63 64 73 61 |Host: ecdh-ecdsa| +| 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 |-rc4-sha.local.a| +| 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a |l.lekensteyn.nl:| +| 34 34 37 39 0d 0a 0d 0a |4479.... | +dissect_ssl3_record found association 0x34178c0 + +dissect_ssl enter frame #56 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 375 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 370, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 370 +Ciphertext[370]: +| fd 1a bb 96 0c 4d b9 51 b8 81 45 f8 ad 70 c0 52 |.....M.Q..E..p.R| +| 1b 97 df 68 bb d2 fd a7 7e b5 67 b4 be cb 31 da |...h....~.g...1.| +| cf 2e 87 dd a2 ca 0a 82 1a 34 ee f6 27 95 86 1d |.........4..'...| +| f4 a9 6a 38 c3 c3 1e 70 ba 44 4e 79 dc 5e 4e 50 |..j8...p.DNy.^NP| +| 12 f7 c9 93 e6 94 71 87 43 c7 cb ae 76 f6 a4 95 |......q.C...v...| +| 7e e1 c1 83 66 41 2b 20 2e b0 32 30 01 89 b3 d4 |~...fA+ ..20....| +| 82 ea b2 f3 d8 ac d7 44 8f c3 f2 01 fc 83 82 f5 |.......D........| +| 4a a1 fc 39 1d 4b da fd e0 dc 66 0c 1c 8d 0f 6e |J..9.K....f....n| +| c4 c8 ed b1 f0 64 c2 49 eb 19 18 2f a1 56 fb b9 |.....d.I.../.V..| +| 89 9c de ca 57 ed ee 68 ef 30 07 ba 8a ee 75 1a |....W..h.0....u.| +| 96 9a af 36 9b e7 88 b1 3e 2e 47 7c 03 2d e9 67 |...6....>.G|.-.g| +| 91 95 ce ac 56 ab c1 81 47 ec e4 97 30 df 1c 94 |....V...G...0...| +| 1b 82 84 5d df 34 bc a1 8f 5d 5d 14 15 ac f1 4b |...].4...]]....K| +| 03 a9 5f 88 75 e5 e1 d6 2d 30 b7 78 e9 7d 6b db |.._.u...-0.x.}k.| +| ce 9b 10 08 2d 3b fb fd c0 06 b5 68 fb b3 2c 0c |....-;.....h..,.| +| 5c 13 21 35 5e b9 a5 b6 b1 6e f4 21 29 ad f1 9c |\.!5^....n.!)...| +| 88 f2 b2 65 5c 17 fb 48 03 8a 68 37 8f fa aa 15 |...e\..H..h7....| +| c5 4e cf f8 f5 b3 fc e0 82 1c 09 de 49 b3 c1 9b |.N..........I...| +| fc 29 31 bf 64 34 e4 12 09 0c c4 b7 3f 59 37 8c |.)1.d4......?Y7.| +| 4e 37 8c 9e 9a 86 b1 c2 66 65 fd 71 72 0d fd 5e |N7......fe.qr..^| +| 77 f6 b1 e3 6f a9 14 ee f2 c1 22 d6 ce 91 c7 c5 |w...o.....".....| +| 25 4e 14 d4 89 8f a7 a7 69 b7 f0 21 96 bd 7e 1a |%N......i..!..~.| +| 2e e8 71 c0 87 ac 92 80 0e 60 8b 3a c1 08 06 38 |..q......`.:...8| +| a3 03 |.. | +Plaintext[370]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 33 0d 0a 43 6f 6e 6e 65 63 74 |th: 143..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 43 30 2c 30 78 30 32 20 2d 20 45 43 44 48 2d |xC0,0x02 - ECDH-| +| 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 20 |ECDSA-RC4-SHA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| +| 2f 45 43 44 53 41 20 41 75 3d 45 43 44 48 20 45 |/ECDSA Au=ECDH E| +| 6e 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 |nc=RC4(128) Mac| +| 3d 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 |=SHA1..| +| 0f 32 78 9b 48 e5 17 5f 71 3e 4e b8 fc 93 5f 76 |.2x.H.._q>N..._v| +| 68 66 |hf | +checking mac (len 350, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| b3 da 0f 32 78 9b 48 e5 17 5f 71 3e 4e b8 fc 93 |...2x.H.._q>N...| +| 5f 76 68 66 |_vhf | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 350, seq = 0, nxtseq = 350 +association_find: TCP port 4479 found 0x34178c0 +dissect_ssl3_record decrypted len 350 +decrypted app data fragment[350]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 33 0d 0a 43 6f 6e 6e 65 63 74 |th: 143..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 43 30 2c 30 78 30 32 20 2d 20 45 43 44 48 2d |xC0,0x02 - ECDH-| +| 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 20 |ECDSA-RC4-SHA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| +| 2f 45 43 44 53 41 20 41 75 3d 45 43 44 48 20 45 |/ECDSA Au=ECDH E| +| 6e 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 |nc=RC4(128) Mac| +| 3d 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 |=SHA1 | +dissect_ssl3_record found association 0x34178c0 + +dissect_ssl enter frame #57 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| 7b ee 1a 68 c4 f6 a0 50 ef ee ae 08 80 09 f1 3d |{..h...P.......=| +| e0 8a 3d db 1e c9 |..=... | +Plaintext[22]: +| 01 00 61 42 44 21 e6 de a3 49 66 d6 70 0f 90 35 |..aBD!...If.p..5| +| ba 4c e3 34 3a f4 |.L.4:. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 61 42 44 21 e6 de a3 49 66 d6 70 0f 90 35 ba 4c |aBD!...If.p..5.L| +| e3 34 3a f4 |.4:. | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #59 (first time) + conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| bb fa eb a9 7a e0 bb b7 37 db 0b c8 6e c7 6b ce |....z...7...n.k.| +| 1c 6f 22 6d 4f 0c |.o"mO. | +Plaintext[22]: +| 01 00 60 48 98 ac be 21 1b d0 f2 89 c5 22 d1 1f |..`H...!....."..| +| 11 f1 63 2d a4 e4 |..c-.. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 60 48 98 ac be 21 1b d0 f2 89 c5 22 d1 1f 11 f1 |`H...!....."....| +| 63 2d a4 e4 |c-.. | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #64 (first time) +ssl_session_init: initializing ptr 0x7fb94d3d0600 size 688 + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 317, ssl state 0x00 +association_find: TCP port 42963 found (nil) +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 +packet_from_server: is from server - FALSE +ssl_find_private_key server 127.0.0.1:4483 +ssl_find_private_key can't find private key for this server! Try it again with universal port 0 +ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 +ssl_find_private_key can't find any private key! +dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 + +dissect_ssl enter frame #66 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 749 +dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 66, ssl state 0x11 +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 +dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 +ssl_restore_session master key retrieved +dissect_ssl3_hnd_srv_hello found CIPHER 0xC007 -> state 0x37 +dissect_ssl3_hnd_srv_hello trying to generate keys +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 26 f0 86 78 b7 11 5a 89 88 62 d8 c3 ee 82 7e 1b |&..x..Z..b....~.| +| 8a 13 4c 43 f2 18 b1 e5 4e d0 27 69 2f 89 1a 40 |..LC....N.'i/..@| +| 5e 53 2d f1 f5 3b df 6e 44 3d 5a d2 33 cd e0 63 |^S-..;.nD=Z.3..c| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e 23 3f c9 5e ee 0a 92 ea 66 7a b4 11 bf cc 02 |n#?.^....fz.....| +| 61 62 36 63 19 ff 18 f4 bb d8 be 92 cb 52 34 c6 |ab6c.........R4.| +| 6e fe 0d bb ea 44 df 8c 5a 20 59 7b f2 15 e5 80 |n....D..Z Y{....| +| 2c 26 d4 b5 24 cf 19 67 05 5a 74 2e c6 |,&..$..g.Zt.. | +hash out[72]: +| f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| +| c8 50 4e 2d af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 |.PN-.:p0.....LlX| +| a7 ea 2a d1 8c f9 13 75 f2 20 d9 3b 6a c2 8a db |..*....u. .;j...| +| c4 53 4b 09 69 80 ec 5c 64 bd 1d be 47 ef 4a 91 |.SK.i..\d...G.J.| +| f8 59 2a f7 27 04 e5 bb |.Y*.'... | +PRF out[72]: +| f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| +| c8 50 4e 2d af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 |.PN-.:p0.....LlX| +| a7 ea 2a d1 8c f9 13 75 f2 20 d9 3b 6a c2 8a db |..*....u. .;j...| +| c4 53 4b 09 69 80 ec 5c 64 bd 1d be 47 ef 4a 91 |.SK.i..\d...G.J.| +| f8 59 2a f7 27 04 e5 bb |.Y*.'... | +key expansion[72]: +| f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| +| c8 50 4e 2d af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 |.PN-.:p0.....LlX| +| a7 ea 2a d1 8c f9 13 75 f2 20 d9 3b 6a c2 8a db |..*....u. .;j...| +| c4 53 4b 09 69 80 ec 5c 64 bd 1d be 47 ef 4a 91 |.SK.i..\d...G.J.| +| f8 59 2a f7 27 04 e5 bb |.Y*.'... | +Client MAC key[20]: +| f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| +| c8 50 4e 2d |.PN- | +Server MAC key[20]: +| af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 a7 ea 2a d1 |.:p0.....LlX..*.| +| 8c f9 13 75 |...u | +Client Write key[16]: +| f2 20 d9 3b 6a c2 8a db c4 53 4b 09 69 80 ec 5c |. .;j....SK.i..\| +Server Write key[16]: +| 64 bd 1d be 47 ef 4a 91 f8 59 2a f7 27 04 e5 bb |d...G.J..Y*.'...| +Client Write IV[8]: +| 01 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 14 00 00 00 00 00 00 00 |........ | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 + record: offset = 71, reported_length_remaining = 678 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 480, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 11 offset 76 length 476 bytes, remaining 556 + record: offset = 556, reported_length_remaining = 193 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 179, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 12 offset 561 length 175 bytes, remaining 740 + record: offset = 740, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 4, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 14 offset 745 length 0 bytes, remaining 749 + +dissect_ssl enter frame #68 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 122 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 70, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66efe0dbbea44df8c5a20597bf215e5802c26d4b524... +looking for RSA pre-master4104286ee16f4b6aecb0bb4ee2040e2c93650b01f256d039... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e035f0cddbb9b4d52bec23d49e58691e0cce1bde6b4ded568c8c82a76 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed09828f0597ac302344b0c01622ea095760ec417a104182895f9d8f4 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31bb97a4be4e7eca41 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e233fc95eee0a92ea667ab411bfcc026162366319ff18f4bbd8be92cb E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66efe0dbbea44df8c5a20597bf215e5802c26d4b524cf1967055a742ec6 E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 +found master secret in key log +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| e7 39 8c df 37 50 e1 0f e7 e1 d5 f7 ba f3 64 6a |.9..7P........dj| +| f4 d2 bc 09 66 46 fe db b7 e1 1b c3 53 38 e1 52 |....fF......S8.R| +| 4f 6b d2 04 93 78 99 09 69 f6 07 7c ea 50 32 02 |Ok...x..i..|.P2.| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6e 23 3f c9 5e ee 0a 92 ea 66 7a b4 11 bf cc 02 |n#?.^....fz.....| +| 61 62 36 63 19 ff 18 f4 bb d8 be 92 cb 52 34 c6 |ab6c.........R4.| +| 6e fe 0d bb ea 44 df 8c 5a 20 59 7b f2 15 e5 80 |n....D..Z Y{....| +| 2c 26 d4 b5 24 cf 19 67 05 5a 74 2e c6 |,&..$..g.Zt.. | +hash out[72]: +| d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| +| 81 78 0d 31 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c |.x.1.N....}.;..|| +| 06 20 1b 03 11 90 26 1c 94 f5 4b ba ff 1e d4 18 |. ....&...K.....| +| c3 4f d5 83 1e 60 f4 9b 84 cc cd 62 b8 b2 7b 6d |.O...`.....b..{m| +| 01 3d 5d a2 a1 e7 01 f7 |.=]..... | +PRF out[72]: +| d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| +| 81 78 0d 31 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c |.x.1.N....}.;..|| +| 06 20 1b 03 11 90 26 1c 94 f5 4b ba ff 1e d4 18 |. ....&...K.....| +| c3 4f d5 83 1e 60 f4 9b 84 cc cd 62 b8 b2 7b 6d |.O...`.....b..{m| +| 01 3d 5d a2 a1 e7 01 f7 |.=]..... | +key expansion[72]: +| d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| +| 81 78 0d 31 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c |.x.1.N....}.;..|| +| 06 20 1b 03 11 90 26 1c 94 f5 4b ba ff 1e d4 18 |. ....&...K.....| +| c3 4f d5 83 1e 60 f4 9b 84 cc cd 62 b8 b2 7b 6d |.O...`.....b..{m| +| 01 3d 5d a2 a1 e7 01 f7 |.=]..... | +Client MAC key[20]: +| d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| +| 81 78 0d 31 |.x.1 | +Server MAC key[20]: +| 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c 06 20 1b 03 |.N....}.;..|. ..| +| 11 90 26 1c |..&. | +Client Write key[16]: +| 94 f5 4b ba ff 1e d4 18 c3 4f d5 83 1e 60 f4 9b |..K......O...`..| +Server Write key[16]: +| 84 cc cd 62 b8 b2 7b 6d 01 3d 5d a2 a1 e7 01 f7 |...b..{m.=].....| +Client Write IV[8]: +| 00 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 20 33 72 03 00 00 00 00 | 3r..... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 +ssl_save_session stored session id[0]: +ssl_save_session stored master secret[48]: +| e7 39 8c df 37 50 e1 0f e7 e1 d5 f7 ba f3 64 6a |.9..7P........dj| +| f4 d2 bc 09 66 46 fe db b7 e1 1b c3 53 38 e1 52 |....fF......S8.R| +| 4f 6b d2 04 93 78 99 09 69 f6 07 7c ea 50 32 02 |Ok...x..i..|.P2.| +dissect_ssl3_handshake session keys successfully generated + record: offset = 75, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - FALSE +ssl_change_cipher CLIENT + record: offset = 81, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| 28 9b be 39 c6 f9 e2 fd e4 9c 80 e1 59 dd f8 d1 |(..9........Y...| +| 8f 23 bd b3 d1 de e7 4c 71 ca 5e 5b 93 b3 1c ac |.#.....Lq.^[....| +| a2 48 52 78 |.HRx | +Plaintext[36]: +| 14 00 00 0c c9 21 36 4d 4e fb 81 d2 24 ba f5 89 |.....!6MN...$...| +| 51 b4 28 e3 8b 14 c0 56 2f e9 5c fd b4 d4 d3 ef |Q.(....V/.\.....| +| 05 f0 d2 15 |.... | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 51 b4 28 e3 8b 14 c0 56 2f e9 5c fd b4 d4 d3 ef |Q.(....V/.\.....| +| 05 f0 d2 15 |.... | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #69 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 222 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 170, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - TRUE +ssl_change_cipher SERVER + record: offset = 181, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| d4 b2 fc 4e 59 af c3 22 aa 44 f2 14 e9 26 1b 2f |...NY..".D...&./| +| 9a 30 c2 df d2 0d 39 3c 06 df 1b 29 82 f5 5e 66 |.0....9<...)..^f| +| 17 57 1c a4 |.W.. | +Plaintext[36]: +| 14 00 00 0c 83 32 af 4a 2f 42 9e 42 4c 73 3f 18 |.....2.J/B.BLs?.| +| 06 00 31 d2 bf 9c 97 e4 81 33 39 00 7a 9e 13 01 |..1......39.z...| +| 49 15 0d 02 |I... | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 06 00 31 d2 bf 9c 97 e4 81 33 39 00 7a 9e 13 01 |..1......39.z...| +| 49 15 0d 02 |I... | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #70 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 98 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 93, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 93 +Ciphertext[93]: +| b5 b1 bf c0 92 39 5b 70 2b c9 60 79 4b e0 57 c8 |.....9[p+.`yK.W.| +| f4 ba 6a 24 44 a5 43 58 bf ce 42 63 78 1a be ab |..j$D.CX..Bcx...| +| c4 5a 71 f2 4f 71 63 8c e6 79 fa f1 03 71 f6 a3 |.Zq.Oqc..y...q..| +| d2 57 c8 2f 3b 26 be c1 3a ef bb 98 ef 18 4d ae |.W./;&..:.....M.| +| b2 e8 6a 4a 3d cc 8a 99 a8 b8 dc d4 a4 3a e9 18 |..jJ=........:..| +| e2 25 7e 46 d4 f2 1e 2c 91 bf 00 99 78 |.%~F...,....x | +Plaintext[93]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 63 64 68 65 2d 65 63 64 73 |Host: ecdhe-ecds| +| 61 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e |a-rc4-sha.local.| +| 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c |al.lekensteyn.nl| +| 3a 34 34 38 33 0d 0a 0d 0a 18 d5 ec e2 1c 3d 66 |:4483.........=f| +| 37 80 df 78 d7 62 51 48 aa f9 8b 20 3c |7..x.bQH... < | +checking mac (len 73, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 18 d5 ec e2 1c 3d 66 37 80 df 78 d7 62 51 48 aa |.....=f7..x.bQH.| +| f9 8b 20 3c |.. < | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 73, seq = 0, nxtseq = 73 +association_find: TCP port 42963 found (nil) +association_find: TCP port 4483 found 0x3417b00 +dissect_ssl3_record decrypted len 73 +decrypted app data fragment[73]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 63 64 68 65 2d 65 63 64 73 |Host: ecdhe-ecds| +| 61 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e |a-rc4-sha.local.| +| 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c |al.lekensteyn.nl| +| 3a 34 34 38 33 0d 0a 0d 0a |:4483.... | +dissect_ssl3_record found association 0x3417b00 + +dissect_ssl enter frame #71 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 374 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 369, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 369 +Ciphertext[369]: +| 82 38 03 c0 15 41 83 4d 0f 2e d4 7c 7c f9 1b 34 |.8...A.M...||..4| +| 90 bf ff 3b c7 35 f0 01 5a 3d 53 ae b1 23 ea 5b |...;.5..Z=S..#.[| +| cd af 7c ac 8f 35 dc f7 e4 18 5d c1 25 80 15 ae |..|..5....].%...| +| 53 d3 95 0e d3 23 d6 14 5c f5 a6 a1 7d 8e 6e b8 |S....#..\...}.n.| +| 41 36 e7 da 93 ba 76 f4 d3 2b dd 87 6c ce 5c 8b |A6....v..+..l.\.| +| 78 ff e9 32 ed ec c4 91 e9 e2 c7 85 56 c9 ce f8 |x..2........V...| +| 5b 13 7f de 80 a0 1b b1 4b 1b 36 f6 81 aa 19 2c |[.......K.6....,| +| 80 c1 e5 9b 66 4b 23 7f ea a5 3b aa 41 9d 73 90 |....fK#...;.A.s.| +| 8b 54 9e 17 de e3 31 69 69 44 00 31 b0 27 02 2e |.T....1iiD.1.'..| +| c5 76 a8 65 90 e5 64 6a bc f8 1f ce 41 56 16 0b |.v.e..dj....AV..| +| 65 34 8e e2 05 4c 01 5c ba ae eb ea dd 25 e0 75 |e4...L.\.....%.u| +| 99 53 e7 ac d0 34 68 b5 15 1a f4 8c 9e 79 36 b3 |.S...4h......y6.| +| 81 e6 df ef 22 bc 4d 35 ae ae 35 dc 46 cf 8d 1c |....".M5..5.F...| +| a7 e3 c1 ff 40 11 4d aa 99 a5 11 b6 e5 ac 1d 3e |....@.M........>| +| 2b 2e f3 62 36 b8 bb 83 61 f2 b7 77 0b ab 7f 6a |+..b6...a..w...j| +| c2 e5 6f dd b3 23 29 2d 12 2f 83 6d ec 9e a6 e9 |..o..#)-./.m....| +| 8e c2 e1 19 0b 9d 35 60 12 1a 83 87 ca 55 b2 1c |......5`.....U..| +| 7e c4 95 ed e7 6a e7 f6 70 95 d7 b5 16 52 97 d3 |~....j..p....R..| +| cc 6c 8a 31 de 67 eb 14 30 a5 fe fe 14 b0 26 67 |.l.1.g..0.....&g| +| 2c 61 05 d3 9b d4 77 f0 98 55 15 7f b9 bf 27 61 |,a....w..U....'a| +| 84 51 f7 69 c3 93 77 9d 0f 1f f3 c8 e2 c3 c4 f6 |.Q.i..w.........| +| 72 07 be 3d 09 bd 8a 72 8e a2 bc ec 55 40 6c 19 |r..=...r....U@l.| +| a4 6a f3 39 a8 0f 36 1a 87 6f 75 33 60 f3 b4 61 |.j.9..6..ou3`..a| +| a5 |. | +Plaintext[369]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 32 0d 0a 43 6f 6e 6e 65 63 74 |th: 142..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 43 30 2c 30 78 30 37 20 2d 20 45 43 44 48 45 |xC0,0x07 - ECDHE| +| 2d 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 |-ECDSA-RC4-SHA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| +| 20 20 20 20 20 41 75 3d 45 43 44 53 41 20 45 6e | Au=ECDSA En| +| 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d |c=RC4(128) Mac=| +| 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 |SHA1~.V| +| 79 9d 68 5d 32 50 9a fc 53 e5 69 fa a0 5e 4c f6 |y.h]2P..S.i..^L.| +| 67 |g | +checking mac (len 349, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 7e 0b 56 79 9d 68 5d 32 50 9a fc 53 e5 69 fa a0 |~.Vy.h]2P..S.i..| +| 5e 4c f6 67 |^L.g | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 349, seq = 0, nxtseq = 349 +association_find: TCP port 4483 found 0x3417b00 +dissect_ssl3_record decrypted len 349 +decrypted app data fragment[349]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 32 0d 0a 43 6f 6e 6e 65 63 74 |th: 142..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 43 30 2c 30 78 30 37 20 2d 20 45 43 44 48 45 |xC0,0x07 - ECDHE| +| 2d 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 |-ECDSA-RC4-SHA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| +| 20 20 20 20 20 41 75 3d 45 43 44 53 41 20 45 6e | Au=ECDSA En| +| 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d |c=RC4(128) Mac=| +| 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 |SHA1 | +dissect_ssl3_record found association 0x3417b00 + +dissect_ssl enter frame #72 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| a1 6f 18 3e ce 3a c6 ae d9 6f 80 2f 9f cd 61 fa |.o.>.:...o./..a.| +| 50 78 2b 3c 85 c1 |Px+<.. | +Plaintext[22]: +| 01 00 72 54 76 f0 64 d9 f5 7b 8f bd 40 f5 a9 2e |..rTv.d..{..@...| +| ad d3 21 d4 f9 14 |..!... | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 72 54 76 f0 64 d9 f5 7b 8f bd 40 f5 a9 2e ad d3 |rTv.d..{..@.....| +| 21 d4 f9 14 |!... | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #74 (first time) + conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| e5 af 1c 1f e0 ec aa cd 42 02 dd fc f9 36 78 e6 |........B....6x.| +| 8e d1 fe 3d f0 48 |...=.H | +Plaintext[22]: +| 01 00 4b 4b 49 51 ed ba 72 1d 18 99 e9 4b 23 e6 |..KKIQ..r....K#.| +| ae 9a 0f 2b b5 ab |...+.. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 4b 4b 49 51 ed ba 72 1d 18 99 e9 4b 23 e6 ae 9a |KKIQ..r....K#...| +| 0f 2b b5 ab |.+.. | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #79 (first time) +ssl_session_init: initializing ptr 0x7fb94d3d2f10 size 688 + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 317, ssl state 0x00 +association_find: TCP port 57651 found (nil) +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 +packet_from_server: is from server - FALSE +ssl_find_private_key server 127.0.0.1:4491 +ssl_find_private_key can't find private key for this server! Try it again with universal port 0 +ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 +ssl_find_private_key can't find any private key! +dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 + +dissect_ssl enter frame #81 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 1230 +dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 66, ssl state 0x11 +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 +dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 +ssl_restore_session master key retrieved +dissect_ssl3_hnd_srv_hello found CIPHER 0xC011 -> state 0x37 +dissect_ssl3_hnd_srv_hello trying to generate keys +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| e7 39 8c df 37 50 e1 0f e7 e1 d5 f7 ba f3 64 6a |.9..7P........dj| +| f4 d2 bc 09 66 46 fe db b7 e1 1b c3 53 38 e1 52 |....fF......S8.R| +| 4f 6b d2 04 93 78 99 09 69 f6 07 7c ea 50 32 02 |Ok...x..i..|.P2.| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6f f5 72 18 16 e7 99 83 fc eb 41 bd 2f a7 36 98 |o.r.......A./.6.| +| bf 06 09 85 5b fe 45 8c 85 8e 60 b9 e3 52 34 c6 |....[.E...`..R4.| +| 6f 71 3a 14 92 79 33 aa 65 11 63 5d de b2 6c a1 |oq:..y3.e.c]..l.| +| 55 13 a6 01 34 59 1d d5 27 e9 e8 5b c1 |U...4Y..'..[. | +hash out[72]: +| af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| +| b5 71 03 e8 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 |.q..i.......[G_.| +| 3f bd 6c b8 52 78 49 1f 00 eb 93 52 01 64 1a a6 |?.l.RxI....R.d..| +| ff 7c 3f 9f 81 61 77 9b 32 49 44 4c 53 28 07 8f |.|?..aw.2IDLS(..| +| 52 5a dd 6e 87 d8 e9 d4 |RZ.n.... | +PRF out[72]: +| af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| +| b5 71 03 e8 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 |.q..i.......[G_.| +| 3f bd 6c b8 52 78 49 1f 00 eb 93 52 01 64 1a a6 |?.l.RxI....R.d..| +| ff 7c 3f 9f 81 61 77 9b 32 49 44 4c 53 28 07 8f |.|?..aw.2IDLS(..| +| 52 5a dd 6e 87 d8 e9 d4 |RZ.n.... | +key expansion[72]: +| af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| +| b5 71 03 e8 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 |.q..i.......[G_.| +| 3f bd 6c b8 52 78 49 1f 00 eb 93 52 01 64 1a a6 |?.l.RxI....R.d..| +| ff 7c 3f 9f 81 61 77 9b 32 49 44 4c 53 28 07 8f |.|?..aw.2IDLS(..| +| 52 5a dd 6e 87 d8 e9 d4 |RZ.n.... | +Client MAC key[20]: +| af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| +| b5 71 03 e8 |.q.. | +Server MAC key[20]: +| 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 3f bd 6c b8 |i.......[G_.?.l.| +| 52 78 49 1f |RxI. | +Client Write key[16]: +| 00 eb 93 52 01 64 1a a6 ff 7c 3f 9f 81 61 77 9b |...R.d...|?..aw.| +Server Write key[16]: +| 32 49 44 4c 53 28 07 8f 52 5a dd 6e 87 d8 e9 d4 |2IDLS(..RZ.n....| +Client Write IV[8]: +| 01 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 14 00 00 00 00 00 00 00 |........ | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 + record: offset = 71, reported_length_remaining = 1159 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 807, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 11 offset 76 length 803 bytes, remaining 883 + record: offset = 883, reported_length_remaining = 347 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 333, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 12 offset 888 length 329 bytes, remaining 1221 + record: offset = 1221, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 4, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 14 offset 1226 length 0 bytes, remaining 1230 + +dissect_ssl enter frame #83 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 122 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 70, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 +trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt +looking for CLIENT_RANDOM 5234c66f713a14927933aa6511635ddeb26ca15513a60134... +looking for RSA pre-master4104d14f1651aa51a05bd5c9d4b3c9f95882a8f671808b91... + checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e035f0cddbb9b4d52bec23d49e58691e0cce1bde6b4ded568c8c82a76 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66ed09828f0597ac302344b0c01622ea095760ec417a104182895f9d8f4 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31bb97a4be4e7eca41 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66e233fc95eee0a92ea667ab411bfcc026162366319ff18f4bbd8be92cb E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66efe0dbbea44df8c5a20597bf215e5802c26d4b524cf1967055a742ec6 E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 + line does not match client random + line does not match + checking keylog line: CLIENT_RANDOM 5234c66f713a14927933aa6511635ddeb26ca15513a60134591dd527e9e85bc1 92CEACE9E21D204EF277392C265FEEE28E0220BE3309B601464AE2FED0C725FC8FD6C9A35C0CCA8091386BFC5FB17FD4 +found master secret in key log +ssl_generate_keyring_material sess key generation +tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) +tls_hash: hash secret[48]: +| 92 ce ac e9 e2 1d 20 4e f2 77 39 2c 26 5f ee e2 |...... N.w9,&_..| +| 8e 02 20 be 33 09 b6 01 46 4a e2 fe d0 c7 25 fc |.. .3...FJ....%.| +| 8f d6 c9 a3 5c 0c ca 80 91 38 6b fc 5f b1 7f d4 |....\....8k._...| +tls_hash: hash seed[77]: +| 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| +| 6f f5 72 18 16 e7 99 83 fc eb 41 bd 2f a7 36 98 |o.r.......A./.6.| +| bf 06 09 85 5b fe 45 8c 85 8e 60 b9 e3 52 34 c6 |....[.E...`..R4.| +| 6f 71 3a 14 92 79 33 aa 65 11 63 5d de b2 6c a1 |oq:..y3.e.c]..l.| +| 55 13 a6 01 34 59 1d d5 27 e9 e8 5b c1 |U...4Y..'..[. | +hash out[72]: +| 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| +| 32 b1 b2 49 dc 61 63 b4 b4 75 6c d3 78 87 27 22 |2..I.ac..ul.x.'"| +| df 87 17 e3 ee db 0c 00 e5 05 89 4e 06 1c 38 18 |...........N..8.| +| 04 1a a8 29 cf 92 f9 cd a2 f1 21 88 9d 01 6c b5 |...)......!...l.| +| 68 46 dc 59 06 24 74 54 |hF.Y.$tT | +PRF out[72]: +| 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| +| 32 b1 b2 49 dc 61 63 b4 b4 75 6c d3 78 87 27 22 |2..I.ac..ul.x.'"| +| df 87 17 e3 ee db 0c 00 e5 05 89 4e 06 1c 38 18 |...........N..8.| +| 04 1a a8 29 cf 92 f9 cd a2 f1 21 88 9d 01 6c b5 |...)......!...l.| +| 68 46 dc 59 06 24 74 54 |hF.Y.$tT | +key expansion[72]: +| 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| +| 32 b1 b2 49 dc 61 63 b4 b4 75 6c d3 78 87 27 22 |2..I.ac..ul.x.'"| +| df 87 17 e3 ee db 0c 00 e5 05 89 4e 06 1c 38 18 |...........N..8.| +| 04 1a a8 29 cf 92 f9 cd a2 f1 21 88 9d 01 6c b5 |...)......!...l.| +| 68 46 dc 59 06 24 74 54 |hF.Y.$tT | +Client MAC key[20]: +| 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| +| 32 b1 b2 49 |2..I | +Server MAC key[20]: +| dc 61 63 b4 b4 75 6c d3 78 87 27 22 df 87 17 e3 |.ac..ul.x.'"....| +| ee db 0c 00 |.... | +Client Write key[16]: +| e5 05 89 4e 06 1c 38 18 04 1a a8 29 cf 92 f9 cd |...N..8....)....| +Server Write key[16]: +| a2 f1 21 88 9d 01 6c b5 68 46 dc 59 06 24 74 54 |..!...l.hF.Y.$tT| +Client Write IV[8]: +| 00 00 00 00 00 00 00 00 |........ | +Server Write IV[8]: +| 40 35 72 03 00 00 00 00 |@5r..... | +ssl_generate_keyring_material ssl_create_decoder(client) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material ssl_create_decoder(server) +ssl_create_decoder CIPHER: ARCFOUR +decoder initialized (digest len 20) +ssl_generate_keyring_material: client seq 0, server seq 0 +ssl_save_session stored session id[0]: +ssl_save_session stored master secret[48]: +| 92 ce ac e9 e2 1d 20 4e f2 77 39 2c 26 5f ee e2 |...... N.w9,&_..| +| 8e 02 20 be 33 09 b6 01 46 4a e2 fe d0 c7 25 fc |.. .3...FJ....%.| +| 8f d6 c9 a3 5c 0c ca 80 91 38 6b fc 5f b1 7f d4 |....\....8k._...| +dissect_ssl3_handshake session keys successfully generated + record: offset = 75, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - FALSE +ssl_change_cipher CLIENT + record: offset = 81, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| 2b 0a f5 42 af d7 15 1d 3f 4c c4 40 71 6f 3a e1 |+..B....?L.@qo:.| +| 09 a1 a3 7d a0 7c 39 35 6c f0 67 9f 5c 8b c4 10 |...}.|95l.g.\...| +| ea 8b 65 2b |..e+ | +Plaintext[36]: +| 14 00 00 0c 36 6b 9b 1f 52 e9 70 b4 16 02 78 03 |....6k..R.p...x.| +| e9 b5 14 e1 69 bb 25 4b 18 94 5d a0 54 e1 b5 00 |....i.%K..].T...| +| f4 0a 67 74 |..gt | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| e9 b5 14 e1 69 bb 25 4b 18 94 5d a0 54 e1 b5 00 |....i.%K..].T...| +| f4 0a 67 74 |..gt | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #84 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 222 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 170, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +decrypt_ssl3_record: no decoder available +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 47 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec +packet_from_server: is from server - TRUE +ssl_change_cipher SERVER + record: offset = 181, reported_length_remaining = 41 +dissect_ssl3_record: content_type 22 Handshake +decrypt_ssl3_record: app_data len 36, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 36 +Ciphertext[36]: +| 9d 19 6f a0 2d 33 42 8e 24 72 94 7f e0 52 05 91 |..o.-3B.$r...R..| +| 9a 19 63 77 56 2d c0 c4 22 ef a2 80 09 d8 93 ab |..cwV-..".......| +| ff 2b dd 04 |.+.. | +Plaintext[36]: +| 14 00 00 0c ed c0 d1 2a 8d 7c 12 be 6b b7 0a 72 |.......*.|..k..r| +| 10 6f 38 97 f8 44 6b d0 c3 cd 92 16 38 a4 f9 06 |.o8..Dk.....8...| +| 40 2e 41 98 |@.A. | +checking mac (len 16, version 303, ct 22 seq 0) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 10 6f 38 97 f8 44 6b d0 c3 cd 92 16 38 a4 f9 06 |.o8..Dk.....8...| +| 40 2e 41 98 |@.A. | +ssl_decrypt_record: mac ok +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #85 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 96 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 91, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 91 +Ciphertext[91]: +| 60 97 53 c5 c4 13 c8 01 99 28 ee ce df 78 25 b3 |`.S......(...x%.| +| e1 da 6f 8b 34 b1 af 21 a0 e6 0a 12 c5 fe b0 13 |..o.4..!........| +| c0 0a c9 de 38 06 a0 8c b4 de a0 4a 96 60 c0 0e |....8......J.`..| +| 95 fc 7b 68 69 07 d2 89 02 bd 96 b2 54 f2 4d c8 |..{hi.......T.M.| +| 98 a1 06 c0 73 6d 0d 89 57 7f 13 4d 42 cd 5c 65 |....sm..W..MB.\e| +| 88 aa 3c cd c1 41 63 90 7b 55 61 |..<..Ac.{Ua | +Plaintext[91]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 63 64 68 65 2d 72 73 61 2d |Host: ecdhe-rsa-| +| 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 6c |rc4-sha.local.al| +| 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a 34 |.lekensteyn.nl:4| +| 34 39 31 0d 0a 0d 0a 8d 37 a3 57 b7 34 8a 87 09 |491.....7.W.4...| +| e2 4e 07 57 7a 18 0b fd ae f4 e2 |.N.Wz...... | +checking mac (len 71, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 8d 37 a3 57 b7 34 8a 87 09 e2 4e 07 57 7a 18 0b |.7.W.4....N.Wz..| +| fd ae f4 e2 |.... | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 71, seq = 0, nxtseq = 71 +association_find: TCP port 57651 found (nil) +association_find: TCP port 4491 found 0x3417f80 +dissect_ssl3_record decrypted len 71 +decrypted app data fragment[71]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 63 64 68 65 2d 72 73 61 2d |Host: ecdhe-rsa-| +| 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 6c |rc4-sha.local.al| +| 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a 34 |.lekensteyn.nl:4| +| 34 39 31 0d 0a 0d 0a |491.... | +dissect_ssl3_record found association 0x3417f80 + +dissect_ssl enter frame #86 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 373 +dissect_ssl3_record: content_type 23 Application Data +decrypt_ssl3_record: app_data len 368, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 368 +Ciphertext[368]: +| 13 e1 d1 ca 3d 4a 7a 4e f3 af 8e f8 d6 e7 ae 83 |....=JzN........| +| 78 a0 75 a2 eb e1 d3 14 63 7c d6 7d f7 16 77 c0 |x.u.....c|.}..w.| +| ab 07 d5 a9 24 15 06 b8 5b ca 60 f2 8a 8e 61 d4 |....$...[.`...a.| +| 2c 2e 02 a9 5f 02 de de 3b be 5f 0b ee 69 72 09 |,..._...;._..ir.| +| 4d 65 99 e4 10 75 10 12 73 c3 c3 18 91 12 ca 03 |Me...u..s.......| +| a9 75 a7 c5 50 7b fd 22 6f ac ed 5b 2e 3d 0d 9b |.u..P{."o..[.=..| +| 05 b1 a8 0f 98 80 39 52 4c 84 f2 18 f3 99 e2 f9 |......9RL.......| +| 8f 58 7f 10 0c 79 5d b2 0d 5f df e5 a4 cb 9a 35 |.X...y].._.....5| +| c4 d8 33 00 f2 dd 30 71 2e 34 41 58 b1 f7 25 2b |..3...0q.4AX..%+| +| e7 3b a5 f4 0e 7b 8c cb 15 cf c8 79 8f d9 bb 6e |.;...{.....y...n| +| 57 86 70 7b 03 c5 1d d2 e7 6e e0 89 26 12 cc 53 |W.p{.....n..&..S| +| e4 f1 10 66 6f 4f 0e 7c 32 a0 72 78 ab 20 a6 59 |...foO.|2.rx. .Y| +| 54 a2 b0 2b e8 ca 10 93 b9 84 6f 62 4d 78 6a d4 |T..+......obMxj.| +| 2a 8d c1 17 b3 de b2 6f ae 52 88 bc 57 4e 20 5d |*......o.R..WN ]| +| e9 04 fd 6d d5 91 46 e0 9c 89 2f f9 d0 21 9d 31 |...m..F.../..!.1| +| 49 1a 69 49 ec 44 50 1f 6b 39 76 4b a1 37 3f c8 |I.iI.DP.k9vK.7?.| +| 88 73 b4 7c 7e ed 01 95 1a a9 87 b9 b4 be 72 d0 |.s.|~.........r.| +| 2e 0d 4d 37 9a ff 2a 02 bb a2 61 6c de db 03 0c |..M7..*...al....| +| 78 ab c7 0b 28 48 ac 44 c3 00 5d 4c a2 a8 e0 e1 |x...(H.D..]L....| +| f3 c0 80 f0 05 e4 24 7e 77 81 a6 77 45 12 9c 75 |......$~w..wE..u| +| cb 81 98 dc d8 19 21 bf 19 92 a3 16 50 0f 12 bc |......!.....P...| +| 26 37 aa e6 f2 40 3a 05 45 45 7a 0e c5 e1 1b c2 |&7...@:.EEz.....| +| df 73 8d 4d 96 c8 fc 2d 0c fb 6a 20 8d 4f 6b 85 |.s.M...-..j .Ok.| +Plaintext[368]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:23 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 43 30 2c 30 78 31 31 20 2d 20 45 43 44 48 45 |xC0,0x11 - ECDHE| +| 2d 52 53 41 2d 52 43 34 2d 53 48 41 20 20 20 20 |-RSA-RC4-SHA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| +| 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| +| 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| +| 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1.>..| +| 1b 3f 94 3a 68 89 7e 8b cb 4a 9b 76 0f 36 d5 92 |.?.:h.~..J.v.6..| +checking mac (len 348, version 303, ct 23 seq 1) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| 88 3e fc 19 1b 3f 94 3a 68 89 7e 8b cb 4a 9b 76 |.>...?.:h.~..J.v| +| 0f 36 d5 92 |.6.. | +ssl_decrypt_record: mac ok +ssl_add_data_info: new data inserted data_len = 348, seq = 0, nxtseq = 348 +association_find: TCP port 4491 found 0x3417f80 +dissect_ssl3_record decrypted len 348 +decrypted app data fragment[348]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:23 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 43 30 2c 30 78 31 31 20 2d 20 45 43 44 48 45 |xC0,0x11 - ECDHE| +| 2d 52 53 41 2d 52 43 34 2d 53 48 41 20 20 20 20 |-RSA-RC4-SHA | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| +| 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| +| 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| +| 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1 | +dissect_ssl3_record found association 0x3417f80 + +dissect_ssl enter frame #87 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - TRUE +decrypt_ssl3_record: using server decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| ce 81 38 7e 9d d0 c6 b4 d2 0e a2 0c 0f 8b 04 83 |..8~............| +| 85 36 13 93 de dc |.6.... | +Plaintext[22]: +| 01 00 e3 6f 58 8c c2 2f d8 22 98 40 2a ef 28 86 |...oX../.".@*.(.| +| 32 da 03 7e dc ae |2..~.. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| e3 6f 58 8c c2 2f d8 22 98 40 2a ef 28 86 32 da |.oX../.".@*.(.2.| +| 03 7e dc ae |.~.. | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #89 (first time) + conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 + record: offset = 0, reported_length_remaining = 27 +dissect_ssl3_record: content_type 21 Alert +decrypt_ssl3_record: app_data len 22, ssl state 0x3F +packet_from_server: is from server - FALSE +decrypt_ssl3_record: using client decoder +ssl_decrypt_record ciphertext len 22 +Ciphertext[22]: +| 76 94 99 f9 cc f0 65 88 de a2 85 ef 48 e9 22 a3 |v.....e.....H.".| +| 22 75 50 fb 1c 5a |"uP..Z | +Plaintext[22]: +| 01 00 d7 3f 33 08 b6 93 fb 2e 51 3c 92 9d 60 7b |...?3.....Q<..`{| +| 6c 0c d1 99 43 f4 |l...C. | +checking mac (len 2, version 303, ct 21 seq 2) +tls_check_mac mac type:SHA1 md 2 +Mac[20]: +| d7 3f 33 08 b6 93 fb 2e 51 3c 92 9d 60 7b 6c 0c |.?3.....Q<..`{l.| +| d1 99 43 f4 |..C. | +ssl_decrypt_record: mac ok + +dissect_ssl enter frame #4 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 322 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 + +dissect_ssl enter frame #6 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 1224 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 + record: offset = 63, reported_length_remaining = 1161 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 + record: offset = 875, reported_length_remaining = 349 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 12 offset 880 length 331 bytes, remaining 1215 + record: offset = 1215, reported_length_remaining = 9 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 14 offset 1220 length 0 bytes, remaining 1224 + +dissect_ssl enter frame #8 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 118 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 + record: offset = 75, reported_length_remaining = 43 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec + record: offset = 81, reported_length_remaining = 37 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #9 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 218 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 + record: offset = 175, reported_length_remaining = 43 +dissect_ssl3_record: content_type 20 Change Cipher Spec +dissect_ssl3_change_cipher_spec + record: offset = 181, reported_length_remaining = 37 +dissect_ssl3_record: content_type 22 Handshake +dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 + +dissect_ssl enter frame #10 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 86 +dissect_ssl3_record: content_type 23 Application Data +association_find: TCP port 40347 found (nil) +association_find: TCP port 4434 found 0x33e0300 +dissect_ssl3_record decrypted len 65 +decrypted app data fragment[65]: +| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| +| 48 6f 73 74 3a 20 65 78 70 2d 72 63 34 2d 6d 64 |Host: exp-rc4-md| +| 35 2e 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e |5.local.al.leken| +| 73 74 65 79 6e 2e 6e 6c 3a 34 34 33 34 0d 0a 0d |steyn.nl:4434...| +| 0a |. | +dissect_ssl3_record found association 0x33e0300 + +dissect_ssl enter frame #11 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 376 +dissect_ssl3_record: content_type 23 Application Data +association_find: TCP port 4434 found 0x33e0300 +dissect_ssl3_record decrypted len 355 +decrypted app data fragment[355]: +| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| +| 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| +| 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| +| 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| +| 32 36 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:21 GMT..Conte| +| 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| +| 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| +| 74 68 3a 20 31 34 38 0d 0a 43 6f 6e 6e 65 63 74 |th: 148..Connect| +| 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| +| 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| +| 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| +| 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| +| 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| +| 78 30 30 2c 30 78 30 33 20 2d 20 45 58 50 2d 52 |x00,0x03 - EXP-R| +| 43 34 2d 4d 44 35 20 20 20 20 20 20 20 20 20 20 |C4-MD5 | +| 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 28 | SSLv3 Kx=RSA(| +| 35 31 32 29 20 41 75 3d 52 53 41 20 20 45 6e 63 |512) Au=RSA Enc| +| 3d 52 43 34 28 34 30 29 20 20 20 4d 61 63 3d 4d |=RC4(40) Mac=M| +| 44 35 20 20 65 78 70 6f 72 74 3c 73 63 72 69 70 |D5 exportdocument.domai| +| 6e 3d 27 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 |n='local.al.leke| +| 6e 73 74 65 79 6e 2e 6e 6c 27 3c 2f 73 63 72 69 |nsteyn.nl' | +dissect_ssl3_record found association 0x33e0300 + +dissect_ssl enter frame #12 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 23 +dissect_ssl3_record: content_type 21 Alert + +dissect_ssl enter frame #14 (already visited) + conversation = 0x7fb97956b088, ssl_session = (nil) + record: offset = 0, reported_length_remaining = 23 +dissect_ssl3_record: content_type 21 Alert -- cgit v1.2.1