Wireshark SSL debug log dissect_ssl enter frame #4 (first time) ssl_session_init: initializing ptr 0x7fb94d3c6060 size 688 conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 317, ssl state 0x00 association_find: TCP port 40347 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:4434 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #6 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 1224 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 58, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session can't find stored session trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 found master secret in key log cannot find master secret in keylog file either dissect_ssl3_hnd_srv_hello found CIPHER 0x0003 -> state 0x37 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| | 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| | ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e 9f e9 60 |m...@...~!.....`| | 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 52 34 c6 |_....~...3B?.R4.| | 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 20 9e 04 |mQ...'....v.. ..| | bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 |.}.hB.0.....` | hash out[64]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| | 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| | 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| PRF out[64]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| | 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| | 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| key expansion[64]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| | 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| | 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| ssl_generate_keyring_material PRF(key_c) tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) tls_hash: hash secret[5]: | 2a d2 9d 68 d8 |*..h. | tls_hash: hash seed[80]: | 63 6c 69 65 6e 74 20 77 72 69 74 65 20 6b 65 79 |client write key| | 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| | 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| | 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| | 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| hash out[32]: | f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| | 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| PRF out[32]: | f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| | 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| ssl_generate_keyring_material PRF(key_s) tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) tls_hash: hash secret[5]: | 4d fc b6 f8 ae |M.... | tls_hash: hash seed[80]: | 73 65 72 76 65 72 20 77 72 69 74 65 20 6b 65 79 |server write key| | 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| | 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| | 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| | 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| hash out[32]: | 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| | e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| PRF out[32]: | 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| | e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| Client MAC key[16]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| Server MAC key[16]: | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| Client Write key[16]: | f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| Server Write key[16]: | 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| Client Write IV[8]: | 01 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 52 11 00 00 00 00 00 00 |R....... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material: client seq 0, server seq 0 record: offset = 63, reported_length_remaining = 1161 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 807, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 record: offset = 875, reported_length_remaining = 349 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 335, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 880 length 331 bytes, remaining 1215 record: offset = 1215, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1220 length 0 bytes, remaining 1224 dissect_ssl enter frame #8 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 118 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 70, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842... looking for RSA pre-master16d2f55f7a48600295b03b793d314964da596512daf0f864... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 found master secret in key log ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| | 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| | ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e 9f e9 60 |m...@...~!.....`| | 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 52 34 c6 |_....~...3B?.R4.| | 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 20 9e 04 |mQ...'....v.. ..| | bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 |.}.hB.0.....` | hash out[64]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| | 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| | 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| PRF out[64]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| | 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| | 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| key expansion[64]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| | 2a d2 9d 68 d8 4d fc b6 f8 ae f6 7d 29 23 7b 58 |*..h.M.....})#{X| | 73 d5 c9 e2 a2 cc b6 d3 a4 64 9e 1f 95 67 7f d6 |s........d...g..| ssl_generate_keyring_material PRF(key_c) tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) tls_hash: hash secret[5]: | 2a d2 9d 68 d8 |*..h. | tls_hash: hash seed[80]: | 63 6c 69 65 6e 74 20 77 72 69 74 65 20 6b 65 79 |client write key| | 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| | 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| | 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| | 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| hash out[32]: | f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| | 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| PRF out[32]: | f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| | 1b 9f e0 5e 3f 41 c2 cc b2 f4 b2 24 73 26 c3 34 |...^?A.....$s&.4| ssl_generate_keyring_material PRF(key_s) tls12_prf: tls_hash(hash_alg SHA256 secret_len 5 seed_len 80 ) tls_hash: hash secret[5]: | 4d fc b6 f8 ae |M.... | tls_hash: hash seed[80]: | 73 65 72 76 65 72 20 77 72 69 74 65 20 6b 65 79 |server write key| | 52 34 c6 6d 51 c0 ad 1d 27 eb 8b e3 ed 76 ef e3 |R4.mQ...'....v..| | 20 9e 04 bf 7d 80 68 42 d6 30 12 05 8e d5 0e 60 | ...}.hB.0.....`| | 52 34 c6 6d 86 8d e8 40 97 da ee 7e 21 c4 1d 2e |R4.m...@...~!...| | 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42 3f d5 |..`_....~...3B?.| hash out[32]: | 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| | e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| PRF out[32]: | 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| | e5 b1 a7 86 b4 0b 6e 6b 9d e6 9f 66 e6 03 1a 15 |......nk...f....| Client MAC key[16]: | 88 48 e5 50 2c 0b 2b 67 dd 0f f0 ea db 12 1e 9b |.H.P,.+g........| Server MAC key[16]: | 01 b9 55 f9 6b 64 3f 43 9b 4b 27 68 a2 3e 81 ef |..U.kd?C.K'h.>..| Client Write key[16]: | f6 18 55 a9 d8 a5 1f e2 96 e5 02 ff 4d 42 92 12 |..U.........MB..| Server Write key[16]: | 00 a7 c6 ef c0 d2 8b d1 78 25 98 b9 e9 d9 de f7 |........x%......| Client Write IV[8]: | 00 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 20 33 72 03 00 00 00 00 | 3r..... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[0]: ssl_save_session stored master secret[48]: | ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| | 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| | ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| dissect_ssl3_handshake session keys successfully generated record: offset = 75, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 81, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: | 0c 86 a2 bc de 0d 24 3b 1d 1c 56 b8 d3 e9 73 05 |......$;..V...s.| | ef 05 0a db 68 49 61 31 80 40 7b 58 62 30 ab 88 |....hIa1.@{Xb0..| Plaintext[32]: | 14 00 00 0c 8b 25 2d b9 b2 dd 96 62 d4 df 11 af |.....%-....b....| | 99 f6 61 40 fd e5 7f 7d 95 f5 9b a6 24 2a e0 28 |..a@...}....$*.(| checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: | 99 f6 61 40 fd e5 7f 7d 95 f5 9b a6 24 2a e0 28 |..a@...}....$*.(| ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #9 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 218 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 170, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 181, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: | 86 fb 19 42 20 48 8f e1 9a ca 86 72 f7 a0 1e 13 |...B H.....r....| | 64 83 8e ac 3b 78 41 28 08 d8 c5 d5 e3 99 69 29 |d...;xA(......i)| Plaintext[32]: | 14 00 00 0c 4b dc 35 37 6a 7a 28 83 2b 72 4e 1d |....K.57jz(.+rN.| | 57 c0 31 5f ae fa 7b 9b 9e 78 9e bc 53 9b fd 75 |W.1_..{..x..S..u| checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: | 57 c0 31 5f ae fa 7b 9b 9e 78 9e bc 53 9b fd 75 |W.1_..{..x..S..u| ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #10 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 86 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 81, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 81 Ciphertext[81]: | ad 37 80 c8 d6 8e 5a 85 2b b4 ad 33 89 9d 47 d5 |.7....Z.+..3..G.| | d6 d6 34 87 6f ac 85 f6 10 df 66 1f f4 01 a4 00 |..4.o.....f.....| | 60 ed 73 e6 bf 68 7a 36 64 b5 4a 7e 7f 09 fb cc |`.s..hz6d.J~....| | 37 e7 1b 0b c4 78 05 7b e4 e9 e9 3d 82 98 da 03 |7....x.{...=....| | d4 a0 4e 27 83 75 cf 75 c9 64 31 6c 77 36 11 cf |..N'.u.u.d1lw6..| | 57 |W | ssl_decrypt_record: allocating 113 bytes for decrypt data (old len 32) Plaintext[81]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 78 70 2d 72 63 34 2d 6d 64 |Host: exp-rc4-md| | 35 2e 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e |5.local.al.leken| | 73 74 65 79 6e 2e 6e 6c 3a 34 34 33 34 0d 0a 0d |steyn.nl:4434...| | 0a 0e f7 5e 2b 02 b1 83 6b 04 9b 7f f5 55 a5 77 |...^+...k....U.w| | 99 |. | checking mac (len 65, version 303, ct 23 seq 1) tls_check_mac mac type:MD5 md 1 Mac[16]: | 0e f7 5e 2b 02 b1 83 6b 04 9b 7f f5 55 a5 77 99 |..^+...k....U.w.| ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 65, seq = 0, nxtseq = 65 association_find: TCP port 40347 found (nil) association_find: TCP port 4434 found 0x33e0300 dissect_ssl3_record decrypted len 65 decrypted app data fragment[65]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 78 70 2d 72 63 34 2d 6d 64 |Host: exp-rc4-md| | 35 2e 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e |5.local.al.leken| | 73 74 65 79 6e 2e 6e 6c 3a 34 34 33 34 0d 0a 0d |steyn.nl:4434...| | 0a |. | dissect_ssl3_record found association 0x33e0300 dissect_ssl enter frame #11 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 376 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 371, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 371 Ciphertext[371]: | cc 91 10 b8 90 cc 5e 8d 25 8b fd fe c2 20 24 55 |......^.%.... $U| | 81 95 ce 5d 0a 15 00 55 2d 51 93 a8 06 9a f6 ad |...]...U-Q......| | b1 f5 65 38 ef a9 ec d2 ea 31 f0 36 e5 55 16 64 |..e8.....1.6.U.d| | 10 7a be e9 7a 86 fe 86 42 2d e0 54 51 7a d2 d2 |.z..z...B-.TQz..| | 8c 26 bc 7d f4 31 68 84 da d5 d1 e0 7c f5 8d b0 |.&.}.1h.....|...| | 95 23 26 cf 3f a2 8e 99 47 72 70 52 06 c0 e6 a0 |.#&.?...GrpR....| | ba 7e b6 88 b4 ac 22 8e dc fb b5 2e 42 41 68 97 |.~....".....BAh.| | d7 43 88 3b fb b5 1d 88 35 71 b9 8a 4b 13 42 41 |.C.;....5q..K.BA| | ce 25 7b 28 9a 9c 42 cf 10 5c 33 b1 18 36 21 50 |.%{(..B..\3..6!P| | 32 7d 23 c4 eb 72 46 28 6b 0e f3 34 87 62 86 80 |2}#..rF(k..4.b..| | 48 05 5e 3b 16 ce 79 e5 72 40 2a 98 05 c1 64 ac |H.^;..y.r@*...d.| | fc d1 a2 4c 0e 9f a9 29 59 db b8 c1 70 8b 61 5c |...L...)Y...p.a\| | 03 9f 35 32 81 22 f3 f6 3c 94 26 7a 9b 54 d6 c0 |..52."..<.&z.T..| | 79 8e da 0f 0a ec 69 6d d8 20 c1 e4 a6 8e 32 38 |y.....im. ....28| | f9 83 bc 24 bb 2d b4 fa 93 42 dc 28 14 ab a9 a0 |...$.-...B.(....| | a3 b7 1a 26 bd 94 21 99 c2 f8 63 67 58 13 af 31 |...&..!...cgX..1| | 2b a8 24 2c 26 74 db 2a 8a ed b6 c3 9d 8c 9b fb |+.$,&t.*........| | 9c f7 35 da b2 0d 6a 0d 1e 47 98 7d 59 77 c9 04 |..5...j..G.}Yw..| | bc 6b 23 3b 34 2d dc b1 dc e0 12 4d 8f 3b 94 8e |.k#;4-.....M.;..| | ae 04 3a 7f 81 77 29 9c 36 ae cb 38 82 23 34 4c |..:..w).6..8.#4L| | 26 47 66 1e a4 98 30 09 ef 04 e4 20 0c a0 8d 20 |&Gf...0.... ... | | 04 30 2b 89 fd 8b 4e a5 c1 89 94 26 9c 8d ff 20 |.0+...N....&... | | d0 4a 94 ca 14 77 83 82 3e f9 20 ea f6 79 dd d1 |.J...w..>. ..y..| | 91 07 c4 |... | ssl_decrypt_record: allocating 403 bytes for decrypt data (old len 113) Plaintext[371]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:21 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 38 0d 0a 43 6f 6e 6e 65 63 74 |th: 148..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 33 20 2d 20 45 58 50 2d 52 |x00,0x03 - EXP-R| | 43 34 2d 4d 44 35 20 20 20 20 20 20 20 20 20 20 |C4-MD5 | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 28 | SSLv3 Kx=RSA(| | 35 31 32 29 20 41 75 3d 52 53 41 20 20 45 6e 63 |512) Au=RSA Enc| | 3d 52 43 34 28 34 30 29 20 20 20 4d 61 63 3d 4d |=RC4(40) Mac=M| | 44 35 20 20 65 78 70 6f 72 74 3c 73 63 72 69 70 |D5 exportdocument.domai| | 6e 3d 27 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 |n='local.al.leke| | 6e 73 74 65 79 6e 2e 6e 6c 27 3c 2f 73 63 72 69 |nsteyn.nl'RQH.._.......| | 1a 50 21 |.P! | checking mac (len 355, version 303, ct 23 seq 1) tls_check_mac mac type:MD5 md 1 Mac[16]: | 52 51 48 de ac 5f a5 8b e5 e5 c1 f4 cc 1a 50 21 |RQH.._........P!| ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 355, seq = 0, nxtseq = 355 association_find: TCP port 4434 found 0x33e0300 dissect_ssl3_record decrypted len 355 decrypted app data fragment[355]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:21 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 38 0d 0a 43 6f 6e 6e 65 63 74 |th: 148..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 33 20 2d 20 45 58 50 2d 52 |x00,0x03 - EXP-R| | 43 34 2d 4d 44 35 20 20 20 20 20 20 20 20 20 20 |C4-MD5 | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 28 | SSLv3 Kx=RSA(| | 35 31 32 29 20 41 75 3d 52 53 41 20 20 45 6e 63 |512) Au=RSA Enc| | 3d 52 43 34 28 34 30 29 20 20 20 4d 61 63 3d 4d |=RC4(40) Mac=M| | 44 35 20 20 65 78 70 6f 72 74 3c 73 63 72 69 70 |D5 exportdocument.domai| | 6e 3d 27 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 |n='local.al.leke| | 6e 73 74 65 79 6e 2e 6e 6c 27 3c 2f 73 63 72 69 |nsteyn.nl' | dissect_ssl3_record found association 0x33e0300 dissect_ssl enter frame #12 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 23 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 18, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 18 Ciphertext[18]: | da b3 f2 c9 8c 3c 23 e7 0f 61 46 08 02 c1 14 ec |.....<#..aF.....| | 01 67 |.g | Plaintext[18]: | 01 00 7b 80 f5 df 00 d8 f2 a8 02 b5 7a 7e fc be |..{.........z~..| | 3f e2 |?. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:MD5 md 1 Mac[16]: | 7b 80 f5 df 00 d8 f2 a8 02 b5 7a 7e fc be 3f e2 |{.........z~..?.| ssl_decrypt_record: mac ok dissect_ssl enter frame #14 (first time) conversation = 0x7fb97956b088, ssl_session = 0x7fb94d3c6060 record: offset = 0, reported_length_remaining = 23 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 18, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 18 Ciphertext[18]: | 3e 1c db e3 72 3b 7c 18 86 42 c6 6f 1b 27 31 c3 |>...r;|..B.o.'1.| | 41 bb |A. | Plaintext[18]: | 01 00 2c 86 c2 ee 63 29 9a ec dc 1a 88 62 52 cb |..,...c).....bR.| | b0 63 |.c | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:MD5 md 1 Mac[16]: | 2c 86 c2 ee 63 29 9a ec dc 1a 88 62 52 cb b0 63 |,...c).....bR..c| ssl_decrypt_record: mac ok dissect_ssl enter frame #19 (first time) ssl_session_init: initializing ptr 0x7fb94d3c8990 size 688 conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 317, ssl state 0x00 association_find: TCP port 46377 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:4435 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #21 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 884 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 58, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session master key retrieved dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x37 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | ed 64 02 ea bf a6 51 b2 8a 7b 44 ed 8c ce 91 36 |.d....Q..{D....6| | 1d 01 45 ca 64 3f 91 d8 dd d9 d1 c8 ea 62 c2 38 |..E.d?.......b.8| | ba 78 14 6f b9 77 98 33 28 20 cd 9f 39 2a cf f8 |.x.o.w.3( ..9*..| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e d7 43 1a d3 74 c1 69 9d 8f 91 1d 24 10 70 e4 |n.C..t.i....$.p.| | af d8 fb a7 c6 97 ae 5c 8f a1 2e c1 84 52 34 c6 |.......\.....R4.| | 6e 95 f5 27 0d 00 e9 73 70 9a a0 b3 db d5 2a 80 |n..'...sp.....*.| | 23 ca c5 5f f8 ff 18 26 2a b2 27 e6 98 |#.._...&*.'.. | hash out[64]: | 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| | f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| | 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| | 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| PRF out[64]: | 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| | f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| | 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| | 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| key expansion[64]: | 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| | f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| | 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| | 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| Client MAC key[16]: | 75 9d 34 2a 45 d0 b5 fe ba 21 1c 76 e1 6a f9 8e |u.4*E....!.v.j..| Server MAC key[16]: | f0 d3 df 8d 29 15 15 6a a8 87 61 49 f8 44 7e be |....)..j..aI.D~.| Client Write key[16]: | 5e 80 2f 32 a8 36 cf 38 46 e4 98 ce 94 2b 9e 84 |^./2.6.8F....+..| Server Write key[16]: | 38 66 f5 b0 0f 16 2c df 3e 2f 61 fb 4a 44 ce ef |8f....,.>/a.JD..| Client Write IV[8]: | 01 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 60 e5 01 00 00 00 00 00 |`....... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material: client seq 0, server seq 0 record: offset = 63, reported_length_remaining = 821 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 807, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 record: offset = 875, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 880 length 0 bytes, remaining 884 dissect_ssl enter frame #23 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 310 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 262, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8... looking for RSA pre-master5c7d85e3e032812cad681d5e723f7c6f8dcc01f2a94eeb76... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC found master secret in key log ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 32 58 f4 4e b7 00 be 97 76 40 04 ac 92 33 9c ad |2X.N....v@...3..| | a4 3e 24 15 9e 56 7b 8d 41 69 ad bb c6 48 5f 75 |.>$..V{.Ai...H_u| | 6c 51 f9 52 72 0b 99 fc 81 e1 6f d7 5c a8 86 dc |lQ.Rr.....o.\...| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e d7 43 1a d3 74 c1 69 9d 8f 91 1d 24 10 70 e4 |n.C..t.i....$.p.| | af d8 fb a7 c6 97 ae 5c 8f a1 2e c1 84 52 34 c6 |.......\.....R4.| | 6e 95 f5 27 0d 00 e9 73 70 9a a0 b3 db d5 2a 80 |n..'...sp.....*.| | 23 ca c5 5f f8 ff 18 26 2a b2 27 e6 98 |#.._...&*.'.. | hash out[64]: | da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| | 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| | b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| | 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| PRF out[64]: | da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| | 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| | b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| | 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| key expansion[64]: | da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| | 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| | b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| | 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| Client MAC key[16]: | da 31 4d ea 7a 15 1d 4b 84 5d b2 ff 1d 49 9e 57 |.1M.z..K.]...I.W| Server MAC key[16]: | 04 6d 33 99 10 0a 59 46 99 8c 9d fb 9d ac 0a 6f |.m3...YF.......o| Client Write key[16]: | b2 4b 4b 1a e5 4a 4c 32 fb 82 c5 31 6b f0 74 80 |.KK..JL2...1k.t.| Server Write key[16]: | 84 a9 91 7d eb b4 b1 66 d5 64 4b da b2 d3 91 90 |...}...f.dK.....| Client Write IV[8]: | 00 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 40 35 72 03 00 00 00 00 |@5r..... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[0]: ssl_save_session stored master secret[48]: | 32 58 f4 4e b7 00 be 97 76 40 04 ac 92 33 9c ad |2X.N....v@...3..| | a4 3e 24 15 9e 56 7b 8d 41 69 ad bb c6 48 5f 75 |.>$..V{.Ai...H_u| | 6c 51 f9 52 72 0b 99 fc 81 e1 6f d7 5c a8 86 dc |lQ.Rr.....o.\...| dissect_ssl3_handshake session keys successfully generated record: offset = 267, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 273, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: | cd 13 7c 44 06 c1 d8 20 05 68 18 b9 19 de fa 2c |..|D... .h.....,| | fc 7f 56 52 9e fa dd 4d f0 66 f6 2b 82 74 35 c8 |..VR...M.f.+.t5.| Plaintext[32]: | 14 00 00 0c 1c c5 ec 96 91 37 21 ff b5 78 8b 2c |.........7!..x.,| | 9a 85 7c 30 84 d1 50 9e 7c 94 20 06 eb 82 a0 b5 |..|0..P.|. .....| checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: | 9a 85 7c 30 84 d1 50 9e 7c 94 20 06 eb 82 a0 b5 |..|0..P.|. .....| ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #24 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 218 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 170, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 181, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: | 37 a4 a3 75 8d 1d 58 aa 31 e1 9a ee ce 24 67 90 |7..u..X.1....$g.| | d7 e8 17 68 54 f3 2a 3f 6e bb 0f 3a 09 bd 6d f5 |...hT.*?n..:..m.| Plaintext[32]: | 14 00 00 0c 26 c6 0d b2 a4 e4 c2 16 2f dc 1b be |....&......./...| | b5 5b 3e 15 e5 0a ff 69 76 a9 a6 e4 9a ee ea eb |.[>....iv.......| checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: | b5 5b 3e 15 e5 0a ff 69 76 a9 a6 e4 9a ee ea eb |.[>....iv.......| ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #25 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 82 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 77, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 77 Ciphertext[77]: | 80 11 09 85 d8 83 32 e1 3e a9 fc 2c 6c 54 e3 04 |......2.>..,lT..| | ed 3e ec 67 32 db c4 98 61 87 84 97 5d a5 c0 10 |.>.g2...a...]...| | 7b a3 6a 5d 1a 3a 10 cb d7 1b 6d ca 84 18 e2 ec |{.j].:....m.....| | 16 45 42 25 cb cf 97 21 4b 17 6c 6c 5a 4c db a2 |.EB%...!K.llZL..| | 5d c5 79 64 8f c5 48 55 6e 8e a6 d0 5b |].yd..HUn...[ | Plaintext[77]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 72 63 34 2d 6d 64 35 2e 6c 6f |Host: rc4-md5.lo| | 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| | 6e 2e 6e 6c 3a 34 34 33 35 0d 0a 0d 0a df 81 bb |n.nl:4435.......| | cf b7 ed 05 96 13 fa 20 77 15 a8 f4 5f |....... w..._ | checking mac (len 61, version 303, ct 23 seq 1) tls_check_mac mac type:MD5 md 1 Mac[16]: | df 81 bb cf b7 ed 05 96 13 fa 20 77 15 a8 f4 5f |.......... w..._| ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 61, seq = 0, nxtseq = 61 association_find: TCP port 46377 found (nil) association_find: TCP port 4435 found 0x340ba90 dissect_ssl3_record decrypted len 61 decrypted app data fragment[61]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 72 63 34 2d 6d 64 35 2e 6c 6f |Host: rc4-md5.lo| | 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| | 6e 2e 6e 6c 3a 34 34 33 35 0d 0a 0d 0a |n.nl:4435.... | dissect_ssl3_record found association 0x340ba90 dissect_ssl enter frame #26 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 368 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 363, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 363 Ciphertext[363]: | 9d 31 a9 72 6f 31 65 cc e6 0f dd 06 e9 c4 90 46 |.1.ro1e........F| | bf e9 b2 ff 35 5d ad 46 f0 94 78 48 8b 35 c3 b7 |....5].F..xH.5..| | ee 74 62 6c 42 68 91 39 4b 6e e2 18 eb 9b 3b 86 |.tblBh.9Kn....;.| | 08 40 0a 6a 2a 52 68 14 45 9d 2b 68 6c 82 c3 df |.@.j*Rh.E.+hl...| | e2 1e 02 f5 2f 73 4e 2c 01 72 35 7d bd 5c 82 84 |..../sN,.r5}.\..| | c4 9e 8b f2 68 0c df 27 43 1e 3d d8 90 37 a6 0b |....h..'C.=..7..| | 49 65 15 16 de 89 a1 68 be 58 b5 13 8f 8e ea e5 |Ie.....h.X......| | f1 1e bf e5 76 73 f5 f8 a3 98 17 01 ed 26 92 2f |....vs.......&./| | 82 d2 26 57 b0 25 5e f5 80 d0 8b c9 c0 50 a4 f9 |..&W.%^......P..| | 1e a9 a6 fd 68 51 4b 03 31 ca 66 64 6b 99 e4 92 |....hQK.1.fdk...| | 30 5d e0 40 54 53 a9 17 7d 6a 29 03 78 46 0f 54 |0].@TS..}j).xF.T| | e5 da b9 26 09 1b 1f d5 91 d7 c8 27 74 ab 5a d4 |...&.......'t.Z.| | 08 d3 4a 68 fc 66 8c d5 04 17 fc 26 29 d7 f4 e6 |..Jh.f.....&)...| | 8c 36 cc f0 36 4e 58 92 39 2e 7f 02 5c 0e 14 f7 |.6..6NX.9...\...| | 71 36 4a 52 77 66 c5 bf ce 6d b4 ae 1a 6a a4 c3 |q6JRwf...m...j..| | 34 c2 ad e2 e0 b2 bd c4 40 80 2c 75 30 b4 d7 ca |4.......@.,u0...| | e9 43 23 b9 df f8 83 ec 4c 39 0c 57 ca b9 be 93 |.C#.....L9.W....| | a4 72 b8 50 ad 70 e1 0d a8 06 be 5c fb 49 eb 20 |.r.P.p.....\.I. | | 91 8c 13 b4 20 d3 85 be f3 7b ef fa d6 70 fa 7e |.... ....{...p.~| | 02 55 69 2e a2 48 2c ff 43 95 a8 4e ce 77 04 3f |.Ui..H,.C..N.w.?| | cc 33 58 1a 48 0e 61 09 e2 01 dc ae 0a e2 21 bd |.3X.H.a.......!.| | cd c1 45 41 fa 1d c6 b4 59 54 d7 ea 14 b8 17 e9 |..EA....YT......| | 4e f2 e3 1d 3e df 76 62 76 0d 56 |N...>.vbv.V | Plaintext[363]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 30 0d 0a 43 6f 6e 6e 65 63 74 |th: 140..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 34 20 2d 20 52 43 34 2d 4d |x00,0x04 - RC4-M| | 44 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |D5 | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | | 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| | 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 4d |=RC4(128) Mac=M| | 44 35 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 |D5K.8.e| | 25 b2 1d 2b 29 2c ec 29 84 d6 e4 |%..+),.)... | checking mac (len 347, version 303, ct 23 seq 1) tls_check_mac mac type:MD5 md 1 Mac[16]: | 4b 9b 38 c6 65 25 b2 1d 2b 29 2c ec 29 84 d6 e4 |K.8.e%..+),.)...| ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 347, seq = 0, nxtseq = 347 association_find: TCP port 4435 found 0x340ba90 dissect_ssl3_record decrypted len 347 decrypted app data fragment[347]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 30 0d 0a 43 6f 6e 6e 65 63 74 |th: 140..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 34 20 2d 20 52 43 34 2d 4d |x00,0x04 - RC4-M| | 44 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |D5 | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | | 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| | 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 4d |=RC4(128) Mac=M| | 44 35 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 |D5 | dissect_ssl3_record found association 0x340ba90 dissect_ssl enter frame #27 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 23 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 18, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 18 Ciphertext[18]: | 8b d3 bc 5f 0f 8a 63 dc 48 90 44 36 0c 5f 4a 4b |..._..c.H.D6._JK| | de e7 |.. | Plaintext[18]: | 01 00 eb 37 74 a3 74 7b 97 70 36 84 93 d4 35 8d |...7t.t{.p6...5.| | 48 fa |H. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:MD5 md 1 Mac[16]: | eb 37 74 a3 74 7b 97 70 36 84 93 d4 35 8d 48 fa |.7t.t{.p6...5.H.| ssl_decrypt_record: mac ok dissect_ssl enter frame #29 (first time) conversation = 0x7fb97956b3d8, ssl_session = 0x7fb94d3c8990 record: offset = 0, reported_length_remaining = 23 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 18, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 18 Ciphertext[18]: | c2 00 b3 23 f2 b1 5c ce 4e 36 34 da 09 d9 db a8 |...#..\.N64.....| | 96 aa |.. | Plaintext[18]: | 01 00 ff 5e c9 f6 a9 91 d0 5d be 8a 25 01 90 f0 |...^.....]..%...| | e0 1e |.. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:MD5 md 1 Mac[16]: | ff 5e c9 f6 a9 91 d0 5d be 8a 25 01 90 f0 e0 1e |.^.....]..%.....| ssl_decrypt_record: mac ok dissect_ssl enter frame #34 (first time) ssl_session_init: initializing ptr 0x7fb94d3cb310 size 688 conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 317, ssl state 0x00 association_find: TCP port 52730 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:4436 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #36 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 884 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 58, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session master key retrieved dissect_ssl3_hnd_srv_hello found CIPHER 0x0005 -> state 0x37 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 32 58 f4 4e b7 00 be 97 76 40 04 ac 92 33 9c ad |2X.N....v@...3..| | a4 3e 24 15 9e 56 7b 8d 41 69 ad bb c6 48 5f 75 |.>$..V{.Ai...H_u| | 6c 51 f9 52 72 0b 99 fc 81 e1 6f d7 5c a8 86 dc |lQ.Rr.....o.\...| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e 03 5f 0c dd bb 9b 4d 52 be c2 3d 49 e5 86 91 |n._....MR..=I...| | e0 cc e1 bd e6 b4 de d5 68 c8 c8 2a 76 52 34 c6 |........h..*vR4.| | 6e ee 73 fe a2 1e b7 ef 62 cf 26 4d 20 5d 6f cd |n.s.....b.&M ]o.| | 78 41 f9 49 ad f8 0b c6 c7 03 e4 c2 64 |xA.I........d | hash out[72]: | 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| | 92 a4 b2 4a e4 22 d2 1a 53 22 39 3d 08 18 e6 10 |...J."..S"9=....| | ba 42 47 a2 b6 eb df 73 9a 0a 86 f4 b7 b7 70 a5 |.BG....s......p.| | 50 e5 77 82 fa 0f 72 b9 8a 94 32 33 a1 ca 17 0d |P.w...r...23....| | 16 5f 58 ed 13 27 6b 2c |._X..'k, | PRF out[72]: | 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| | 92 a4 b2 4a e4 22 d2 1a 53 22 39 3d 08 18 e6 10 |...J."..S"9=....| | ba 42 47 a2 b6 eb df 73 9a 0a 86 f4 b7 b7 70 a5 |.BG....s......p.| | 50 e5 77 82 fa 0f 72 b9 8a 94 32 33 a1 ca 17 0d |P.w...r...23....| | 16 5f 58 ed 13 27 6b 2c |._X..'k, | key expansion[72]: | 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| | 92 a4 b2 4a e4 22 d2 1a 53 22 39 3d 08 18 e6 10 |...J."..S"9=....| | ba 42 47 a2 b6 eb df 73 9a 0a 86 f4 b7 b7 70 a5 |.BG....s......p.| | 50 e5 77 82 fa 0f 72 b9 8a 94 32 33 a1 ca 17 0d |P.w...r...23....| | 16 5f 58 ed 13 27 6b 2c |._X..'k, | Client MAC key[20]: | 66 30 c5 84 9b 9c aa cf fa ed d5 87 32 b0 86 f8 |f0..........2...| | 92 a4 b2 4a |...J | Server MAC key[20]: | e4 22 d2 1a 53 22 39 3d 08 18 e6 10 ba 42 47 a2 |."..S"9=.....BG.| | b6 eb df 73 |...s | Client Write key[16]: | 9a 0a 86 f4 b7 b7 70 a5 50 e5 77 82 fa 0f 72 b9 |......p.P.w...r.| Server Write key[16]: | 8a 94 32 33 a1 ca 17 0d 16 5f 58 ed 13 27 6b 2c |..23....._X..'k,| Client Write IV[8]: | 01 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 10 00 00 00 00 00 00 00 |........ | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 record: offset = 63, reported_length_remaining = 821 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 807, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 record: offset = 875, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 880 length 0 bytes, remaining 884 dissect_ssl enter frame #38 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 314 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 262, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267 trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949ad... looking for RSA pre-master81b73b11c7b8f3cdc9b65b236e4d4f630477be9fc85f6b31... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 found master secret in key log ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 73 72 51 78 33 5f 5d ff 05 25 c6 48 0d c4 a0 ef |srQx3_]..%.H....| | 91 70 69 e4 18 dd 54 16 7a 64 c2 67 d9 3c 5b 64 |.pi...T.zd.g.<[d| | 08 83 a2 c8 0b 60 d4 50 1f 40 e4 42 86 c1 bf 98 |.....`.P.@.B....| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e 03 5f 0c dd bb 9b 4d 52 be c2 3d 49 e5 86 91 |n._....MR..=I...| | e0 cc e1 bd e6 b4 de d5 68 c8 c8 2a 76 52 34 c6 |........h..*vR4.| | 6e ee 73 fe a2 1e b7 ef 62 cf 26 4d 20 5d 6f cd |n.s.....b.&M ]o.| | 78 41 f9 49 ad f8 0b c6 c7 03 e4 c2 64 |xA.I........d | hash out[72]: | d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| | aa 64 01 73 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 |.d.s.mMp... ....| | 15 5a bf ca 6e 9f 2f a9 80 3a 86 f8 5f 45 9c 1c |.Z..n./..:.._E..| | 2c 55 cf d1 9c d3 94 8b fb 82 d7 a2 18 e9 ba 36 |,U.............6| | 28 0b 13 72 96 1b 2e 90 |(..r.... | PRF out[72]: | d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| | aa 64 01 73 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 |.d.s.mMp... ....| | 15 5a bf ca 6e 9f 2f a9 80 3a 86 f8 5f 45 9c 1c |.Z..n./..:.._E..| | 2c 55 cf d1 9c d3 94 8b fb 82 d7 a2 18 e9 ba 36 |,U.............6| | 28 0b 13 72 96 1b 2e 90 |(..r.... | key expansion[72]: | d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| | aa 64 01 73 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 |.d.s.mMp... ....| | 15 5a bf ca 6e 9f 2f a9 80 3a 86 f8 5f 45 9c 1c |.Z..n./..:.._E..| | 2c 55 cf d1 9c d3 94 8b fb 82 d7 a2 18 e9 ba 36 |,U.............6| | 28 0b 13 72 96 1b 2e 90 |(..r.... | Client MAC key[20]: | d4 51 c0 30 7b 66 00 43 ea 28 07 d2 6f be 0d 76 |.Q.0{f.C.(..o..v| | aa 64 01 73 |.d.s | Server MAC key[20]: | 03 6d 4d 70 ad e3 ff 20 9f 04 ef b3 15 5a bf ca |.mMp... .....Z..| | 6e 9f 2f a9 |n./. | Client Write key[16]: | 80 3a 86 f8 5f 45 9c 1c 2c 55 cf d1 9c d3 94 8b |.:.._E..,U......| Server Write key[16]: | fb 82 d7 a2 18 e9 ba 36 28 0b 13 72 96 1b 2e 90 |.......6(..r....| Client Write IV[8]: | 00 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 20 33 72 03 00 00 00 00 | 3r..... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[0]: ssl_save_session stored master secret[48]: | 73 72 51 78 33 5f 5d ff 05 25 c6 48 0d c4 a0 ef |srQx3_]..%.H....| | 91 70 69 e4 18 dd 54 16 7a 64 c2 67 d9 3c 5b 64 |.pi...T.zd.g.<[d| | 08 83 a2 c8 0b 60 d4 50 1f 40 e4 42 86 c1 bf 98 |.....`.P.@.B....| dissect_ssl3_handshake session keys successfully generated record: offset = 267, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 273, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | 9a 28 45 a2 18 36 ca df 0f 06 cb e1 f8 ac 1f 72 |.(E..6.........r| | 61 fc cd e5 e8 4a 59 be 88 23 ba b9 ce 01 22 4b |a....JY..#...."K| | 26 c2 b7 4b |&..K | Plaintext[36]: | 14 00 00 0c a8 e5 48 ad 86 e9 b3 0a 61 aa 2e f0 |......H.....a...| | 68 8f 93 ca 4c 02 35 40 cc eb de bb 03 cf 4c 53 |h...L.5@......LS| | ff 57 38 58 |.W8X | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 68 8f 93 ca 4c 02 35 40 cc eb de bb 03 cf 4c 53 |h...L.5@......LS| | ff 57 38 58 |.W8X | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #39 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 222 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 170, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 181, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | ea 17 35 2b f9 58 60 e8 da 99 8e 50 0e 34 8b c3 |..5+.X`....P.4..| | 90 f3 f0 c0 2e 43 29 42 93 d9 15 c6 f8 76 b1 0c |.....C)B.....v..| | 83 62 f3 a3 |.b.. | Plaintext[36]: | 14 00 00 0c 07 14 b5 ea 5b fc 04 34 bf aa bc 8d |........[..4....| | 1a 7d 3a 11 37 05 ae b4 58 98 3d 8a 76 84 70 42 |.}:.7...X.=.v.pB| | 51 3a a0 9e |Q:.. | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 1a 7d 3a 11 37 05 ae b4 58 98 3d 8a 76 84 70 42 |.}:.7...X.=.v.pB| | 51 3a a0 9e |Q:.. | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #40 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 86 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 81, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 81 Ciphertext[81]: | 00 a0 49 01 52 e5 5b d2 dd 5d 2e 50 04 21 e0 60 |..I.R.[..].P.!.`| | e8 36 52 91 2d c6 c0 8a fd 03 fb cf 58 39 f6 e4 |.6R.-.......X9..| | 80 91 d7 8a cc 56 0b 3e 1f bd 05 2e 27 a7 23 a2 |.....V.>....'.#.| | c6 f5 1b 68 45 d4 49 05 e2 8a 6b 21 e5 9a e2 b5 |...hE.I...k!....| | 92 49 f4 9f 1a 6a b5 26 41 85 2d 81 0f 56 a7 fd |.I...j.&A.-..V..| | 50 |P | Plaintext[81]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 72 63 34 2d 73 68 61 2e 6c 6f |Host: rc4-sha.lo| | 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| | 6e 2e 6e 6c 3a 34 34 33 36 0d 0a 0d 0a 5d b3 6a |n.nl:4436....].j| | f8 c1 ad 06 d8 26 c8 30 4d b4 2e cb ea 0d d1 b3 |.....&.0M.......| | 41 |A | checking mac (len 61, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 5d b3 6a f8 c1 ad 06 d8 26 c8 30 4d b4 2e cb ea |].j.....&.0M....| | 0d d1 b3 41 |...A | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 61, seq = 0, nxtseq = 61 association_find: TCP port 52730 found (nil) association_find: TCP port 4436 found 0x34146c0 dissect_ssl3_record decrypted len 61 decrypted app data fragment[61]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 72 63 34 2d 73 68 61 2e 6c 6f |Host: rc4-sha.lo| | 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 |cal.al.lekenstey| | 6e 2e 6e 6c 3a 34 34 33 36 0d 0a 0d 0a |n.nl:4436.... | dissect_ssl3_record found association 0x34146c0 dissect_ssl enter frame #41 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 373 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 368, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 368 Ciphertext[368]: | 5d 7a 6a f6 d1 64 34 31 94 c4 2a fd 4c 12 30 51 |]zj..d41..*.L.0Q| | a0 3b 2c fa 77 25 e0 b1 d2 7a 1d e8 69 81 0a bf |.;,.w%...z..i...| | 04 80 32 86 9b a6 81 a4 58 32 39 99 5e 0f 6a a9 |..2.....X29.^.j.| | 8c ce 7f 01 34 72 09 82 98 69 ec f7 b5 e5 4a 36 |....4r...i....J6| | 14 f2 db d3 08 22 2c 76 89 cb ae 2b 42 b3 c7 41 |.....",v...+B..A| | 07 5c 64 5a b4 3c bd df 17 ad 84 cd 4f 31 c9 33 |.\dZ.<......O1.3| | 13 6f 26 3a c0 7d e5 12 91 12 77 f6 1c bf 87 be |.o&:.}....w.....| | 16 6e 4c bb 27 83 63 b9 cb aa b6 99 2e c1 db d6 |.nL.'.c.........| | 96 3d dc cf f1 53 6c b8 c5 36 f3 4d b7 99 47 e4 |.=...Sl..6.M..G.| | 4e 6a bb 3f 90 18 d4 de 2f 83 b5 1d 72 ac bb 1c |Nj.?..../...r...| | 26 7c 0f 94 53 39 45 d4 dc 72 67 24 2f 1c 43 17 |&|..S9E..rg$/.C.| | f5 f8 08 49 7f 6c 6d de 7f ce 67 e7 8d c6 01 fc |...I.lm...g.....| | 0c a7 7b df 11 20 70 d3 2e 90 ed c6 b4 12 43 5b |..{.. p.......C[| | 74 8d 9b 56 83 52 c0 b8 22 75 ab a4 12 89 d0 09 |t..V.R.."u......| | a3 5c fc 86 88 31 d6 86 eb 1c 96 36 2d 40 cc ee |.\...1.....6-@..| | 55 f8 4c 46 44 74 7a 6f a3 68 e2 00 2f 7f e8 3e |U.LFDtzo.h../..>| | 9f 67 8a f6 14 b0 f2 08 c7 c5 10 b0 ab af 91 6b |.g.............k| | c5 0a 0a 66 26 32 aa 1a bc 02 34 ee e4 6b 19 3c |...f&2....4..k.<| | 84 b8 d7 7b 8a f7 e2 ec 89 b3 bc 95 95 48 ce 25 |...{.........H.%| | 8d bb 43 11 9c e2 1b b7 fd 2d 13 b5 23 d9 e2 c4 |..C......-..#...| | e3 0f 78 13 98 07 e3 00 41 5b 35 3e 77 24 6b b2 |..x.....A[5>w$k.| | 72 09 68 37 db dc b4 6e c0 3d a3 72 a6 38 3d fc |r.h7...n.=.r.8=.| | 7e 4f 8c e1 9b 35 96 27 17 95 c3 25 e2 64 05 b2 |~O...5.'...%.d..| Plaintext[368]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 35 20 2d 20 52 43 34 2d 53 |x00,0x05 - RC4-S| | 48 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |HA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | | 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| | 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| | 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1.D.3| | 48 df 21 8c ac 16 a0 b8 88 17 9e 10 6c 8e 97 a4 |H.!.........l...| checking mac (len 348, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | c8 44 c0 33 48 df 21 8c ac 16 a0 b8 88 17 9e 10 |.D.3H.!.........| | 6c 8e 97 a4 |l... | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 348, seq = 0, nxtseq = 348 association_find: TCP port 4436 found 0x34146c0 dissect_ssl3_record decrypted len 348 decrypted app data fragment[348]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 35 20 2d 20 52 43 34 2d 53 |x00,0x05 - RC4-S| | 48 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |HA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 20 | SSLv3 Kx=RSA | | 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| | 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| | 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1 | dissect_ssl3_record found association 0x34146c0 dissect_ssl enter frame #42 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | 76 a6 49 15 74 b7 6c 75 86 25 b6 68 c9 28 a8 08 |v.I.t.lu.%.h.(..| | 7c 93 8e 21 6e 71 ||..!nq | Plaintext[22]: | 01 00 e1 71 41 33 bd 7d 3a e6 f8 91 96 75 9c 6c |...qA3.}:....u.l| | fe a7 79 43 a9 29 |..yC.) | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | e1 71 41 33 bd 7d 3a e6 f8 91 96 75 9c 6c fe a7 |.qA3.}:....u.l..| | 79 43 a9 29 |yC.) | ssl_decrypt_record: mac ok dissect_ssl enter frame #44 (first time) conversation = 0x7fb97956b728, ssl_session = 0x7fb94d3cb310 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | 85 5f c9 88 56 9b f5 56 9e 2f 7d 1d ba a9 dd 62 |._..V..V./}....b| | 2d 1d f7 3c 38 20 |-..<8 | Plaintext[22]: | 01 00 e1 7f c8 d2 69 cf 40 26 15 f8 cf f2 d3 54 |......i.@&.....T| | c3 1d 4b 22 05 da |..K".. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | e1 7f c8 d2 69 cf 40 26 15 f8 cf f2 d3 54 c3 1d |....i.@&.....T..| | 4b 22 05 da |K".. | ssl_decrypt_record: mac ok dissect_ssl enter frame #49 (first time) ssl_session_init: initializing ptr 0x7fb94d3cdcd0 size 688 conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 317, ssl state 0x00 association_find: TCP port 34339 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:4479 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #51 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 565 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 66, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session master key retrieved dissect_ssl3_hnd_srv_hello found CIPHER 0xC002 -> state 0x37 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 73 72 51 78 33 5f 5d ff 05 25 c6 48 0d c4 a0 ef |srQx3_]..%.H....| | 91 70 69 e4 18 dd 54 16 7a 64 c2 67 d9 3c 5b 64 |.pi...T.zd.g.<[d| | 08 83 a2 c8 0b 60 d4 50 1f 40 e4 42 86 c1 bf 98 |.....`.P.@.B....| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e d0 98 28 f0 59 7a c3 02 34 4b 0c 01 62 2e a0 |n..(.Yz..4K..b..| | 95 76 0e c4 17 a1 04 18 28 95 f9 d8 f4 52 34 c6 |.v......(....R4.| | 6e 96 87 63 98 ad 6e cf f1 b3 ff b7 58 71 9b b5 |n..c..n.....Xq..| | 12 58 ea ea 31 bb 97 a4 be 4e 7e ca 41 |.X..1....N~.A | hash out[72]: | 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| | aa 40 26 bf 47 c2 72 62 3b 95 e4 37 ee 96 29 ea |.@&.G.rb;..7..).| | 10 6c fd 76 43 3d 8d 05 21 cc 4a fd 77 80 7a d2 |.l.vC=..!.J.w.z.| | cc 5a aa 90 9d 82 87 37 74 41 8f b8 14 82 38 c1 |.Z.....7tA....8.| | 33 27 cf 58 57 82 01 99 |3'.XW... | PRF out[72]: | 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| | aa 40 26 bf 47 c2 72 62 3b 95 e4 37 ee 96 29 ea |.@&.G.rb;..7..).| | 10 6c fd 76 43 3d 8d 05 21 cc 4a fd 77 80 7a d2 |.l.vC=..!.J.w.z.| | cc 5a aa 90 9d 82 87 37 74 41 8f b8 14 82 38 c1 |.Z.....7tA....8.| | 33 27 cf 58 57 82 01 99 |3'.XW... | key expansion[72]: | 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| | aa 40 26 bf 47 c2 72 62 3b 95 e4 37 ee 96 29 ea |.@&.G.rb;..7..).| | 10 6c fd 76 43 3d 8d 05 21 cc 4a fd 77 80 7a d2 |.l.vC=..!.J.w.z.| | cc 5a aa 90 9d 82 87 37 74 41 8f b8 14 82 38 c1 |.Z.....7tA....8.| | 33 27 cf 58 57 82 01 99 |3'.XW... | Client MAC key[20]: | 4f 1a a6 e9 06 7c 6c 9a 74 e0 05 14 d6 ef d0 a6 |O....|l.t.......| | aa 40 26 bf |.@&. | Server MAC key[20]: | 47 c2 72 62 3b 95 e4 37 ee 96 29 ea 10 6c fd 76 |G.rb;..7..)..l.v| | 43 3d 8d 05 |C=.. | Client Write key[16]: | 21 cc 4a fd 77 80 7a d2 cc 5a aa 90 9d 82 87 37 |!.J.w.z..Z.....7| Server Write key[16]: | 74 41 8f b8 14 82 38 c1 33 27 cf 58 57 82 01 99 |tA....8.3'.XW...| Client Write IV[8]: | 01 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 14 00 00 00 00 00 00 00 |........ | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 record: offset = 71, reported_length_remaining = 494 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 480, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 76 length 476 bytes, remaining 556 record: offset = 556, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 561 length 0 bytes, remaining 565 dissect_ssl enter frame #53 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 154 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 102, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 98 bytes, remaining 107 trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31... looking for RSA pre-master610430861bf4e0270fda641c54975775efa90f1ac7a0b59c... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e035f0cddbb9b4d52bec23d49e58691e0cce1bde6b4ded568c8c82a76 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed09828f0597ac302344b0c01622ea095760ec417a104182895f9d8f4 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31bb97a4be4e7eca41 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 found master secret in key log ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 26 f0 86 78 b7 11 5a 89 88 62 d8 c3 ee 82 7e 1b |&..x..Z..b....~.| | 8a 13 4c 43 f2 18 b1 e5 4e d0 27 69 2f 89 1a 40 |..LC....N.'i/..@| | 5e 53 2d f1 f5 3b df 6e 44 3d 5a d2 33 cd e0 63 |^S-..;.nD=Z.3..c| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e d0 98 28 f0 59 7a c3 02 34 4b 0c 01 62 2e a0 |n..(.Yz..4K..b..| | 95 76 0e c4 17 a1 04 18 28 95 f9 d8 f4 52 34 c6 |.v......(....R4.| | 6e 96 87 63 98 ad 6e cf f1 b3 ff b7 58 71 9b b5 |n..c..n.....Xq..| | 12 58 ea ea 31 bb 97 a4 be 4e 7e ca 41 |.X..1....N~.A | hash out[72]: | 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| | ba 2d 46 7c 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 |.-F|,...JViQ..B.| | 45 33 f2 5f ee 4c d8 95 32 5c aa 6c b5 70 c5 47 |E3._.L..2\.l.p.G| | 80 ea f3 5b 4f 17 53 24 55 e8 95 1e e2 7c 32 6b |...[O.S$U....|2k| | 59 62 5c 79 64 7f b9 11 |Yb\yd... | PRF out[72]: | 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| | ba 2d 46 7c 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 |.-F|,...JViQ..B.| | 45 33 f2 5f ee 4c d8 95 32 5c aa 6c b5 70 c5 47 |E3._.L..2\.l.p.G| | 80 ea f3 5b 4f 17 53 24 55 e8 95 1e e2 7c 32 6b |...[O.S$U....|2k| | 59 62 5c 79 64 7f b9 11 |Yb\yd... | key expansion[72]: | 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| | ba 2d 46 7c 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 |.-F|,...JViQ..B.| | 45 33 f2 5f ee 4c d8 95 32 5c aa 6c b5 70 c5 47 |E3._.L..2\.l.p.G| | 80 ea f3 5b 4f 17 53 24 55 e8 95 1e e2 7c 32 6b |...[O.S$U....|2k| | 59 62 5c 79 64 7f b9 11 |Yb\yd... | Client MAC key[20]: | 1c 12 55 ac 08 f8 a0 e6 b3 13 24 c2 fa e3 32 08 |..U.......$...2.| | ba 2d 46 7c |.-F| | Server MAC key[20]: | 2c f8 82 a5 4a 56 69 51 85 cd 42 c4 45 33 f2 5f |,...JViQ..B.E3._| | ee 4c d8 95 |.L.. | Client Write key[16]: | 32 5c aa 6c b5 70 c5 47 80 ea f3 5b 4f 17 53 24 |2\.l.p.G...[O.S$| Server Write key[16]: | 55 e8 95 1e e2 7c 32 6b 59 62 5c 79 64 7f b9 11 |U....|2kYb\yd...| Client Write IV[8]: | 00 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 40 35 72 03 00 00 00 00 |@5r..... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[0]: ssl_save_session stored master secret[48]: | 26 f0 86 78 b7 11 5a 89 88 62 d8 c3 ee 82 7e 1b |&..x..Z..b....~.| | 8a 13 4c 43 f2 18 b1 e5 4e d0 27 69 2f 89 1a 40 |..LC....N.'i/..@| | 5e 53 2d f1 f5 3b df 6e 44 3d 5a d2 33 cd e0 63 |^S-..;.nD=Z.3..c| dissect_ssl3_handshake session keys successfully generated record: offset = 107, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 113, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | a2 fd ba 64 ac e8 7b c0 7a 93 47 74 de 21 a2 93 |...d..{.z.Gt.!..| | c3 cf db 1d d7 cd 9e 4f f8 ca e7 a1 24 53 fc c7 |.......O....$S..| | d1 1f bd e0 |.... | Plaintext[36]: | 14 00 00 0c 18 e1 7d 86 d2 d5 60 d4 2f c4 75 f0 |......}...`./.u.| | 48 8c a4 13 53 8b 44 61 74 28 05 8c ff f4 a2 b1 |H...S.Dat(......| | d6 d2 0f a3 |.... | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 48 8c a4 13 53 8b 44 61 74 28 05 8c ff f4 a2 b1 |H...S.Dat(......| | d6 d2 0f a3 |.... | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #54 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 222 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 170, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 181, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | 54 39 01 fe 8c ea a6 9e 0f d6 57 cd d0 e1 e8 e3 |T9........W.....| | 5d c4 a1 f3 88 41 5f 84 91 c0 cc 6b 6e 82 7d 92 |]....A_....kn.}.| | 38 24 27 2b |8$'+ | Plaintext[36]: | 14 00 00 0c 41 cd 0b 8c 33 75 d4 e1 2b 4c 86 b3 |....A...3u..+L..| | 05 8b 4f f4 80 aa 34 b0 d2 be 77 15 a9 e4 3f d6 |..O...4...w...?.| | 91 ab d5 44 |...D | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 05 8b 4f f4 80 aa 34 b0 d2 be 77 15 a9 e4 3f d6 |..O...4...w...?.| | 91 ab d5 44 |...D | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #55 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 97 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 92, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 92 Ciphertext[92]: | a3 d9 60 9b a2 2e 07 ce b1 38 1c e7 50 cc eb f0 |..`......8..P...| | 69 a7 e0 0c 31 e4 2e cc e7 39 d3 fd c4 6a aa ce |i...1....9...j..| | a1 4d 56 44 79 6f bb 92 6e b6 8b d6 c7 b6 87 ae |.MVDyo..n.......| | 3f 52 6c b8 dd 10 17 7d 09 df 8c f3 e6 ee 4a 1a |?Rl....}......J.| | ee d0 95 c1 13 f4 58 9a 05 82 57 34 8e c6 b1 d5 |......X...W4....| | bc 10 ea 01 34 b4 79 6f ea 52 d4 4a |....4.yo.R.J | Plaintext[92]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 63 64 68 2d 65 63 64 73 61 |Host: ecdh-ecdsa| | 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 |-rc4-sha.local.a| | 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a |l.lekensteyn.nl:| | 34 34 37 39 0d 0a 0d 0a 71 47 69 bd 1c 52 6e a6 |4479....qGi..Rn.| | 8b 71 98 6f d6 71 57 e7 69 ad 81 1d |.q.o.qW.i... | checking mac (len 72, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 71 47 69 bd 1c 52 6e a6 8b 71 98 6f d6 71 57 e7 |qGi..Rn..q.o.qW.| | 69 ad 81 1d |i... | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 72, seq = 0, nxtseq = 72 association_find: TCP port 34339 found (nil) association_find: TCP port 4479 found 0x34178c0 dissect_ssl3_record decrypted len 72 decrypted app data fragment[72]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 63 64 68 2d 65 63 64 73 61 |Host: ecdh-ecdsa| | 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 |-rc4-sha.local.a| | 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a |l.lekensteyn.nl:| | 34 34 37 39 0d 0a 0d 0a |4479.... | dissect_ssl3_record found association 0x34178c0 dissect_ssl enter frame #56 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 375 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 370, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 370 Ciphertext[370]: | fd 1a bb 96 0c 4d b9 51 b8 81 45 f8 ad 70 c0 52 |.....M.Q..E..p.R| | 1b 97 df 68 bb d2 fd a7 7e b5 67 b4 be cb 31 da |...h....~.g...1.| | cf 2e 87 dd a2 ca 0a 82 1a 34 ee f6 27 95 86 1d |.........4..'...| | f4 a9 6a 38 c3 c3 1e 70 ba 44 4e 79 dc 5e 4e 50 |..j8...p.DNy.^NP| | 12 f7 c9 93 e6 94 71 87 43 c7 cb ae 76 f6 a4 95 |......q.C...v...| | 7e e1 c1 83 66 41 2b 20 2e b0 32 30 01 89 b3 d4 |~...fA+ ..20....| | 82 ea b2 f3 d8 ac d7 44 8f c3 f2 01 fc 83 82 f5 |.......D........| | 4a a1 fc 39 1d 4b da fd e0 dc 66 0c 1c 8d 0f 6e |J..9.K....f....n| | c4 c8 ed b1 f0 64 c2 49 eb 19 18 2f a1 56 fb b9 |.....d.I.../.V..| | 89 9c de ca 57 ed ee 68 ef 30 07 ba 8a ee 75 1a |....W..h.0....u.| | 96 9a af 36 9b e7 88 b1 3e 2e 47 7c 03 2d e9 67 |...6....>.G|.-.g| | 91 95 ce ac 56 ab c1 81 47 ec e4 97 30 df 1c 94 |....V...G...0...| | 1b 82 84 5d df 34 bc a1 8f 5d 5d 14 15 ac f1 4b |...].4...]]....K| | 03 a9 5f 88 75 e5 e1 d6 2d 30 b7 78 e9 7d 6b db |.._.u...-0.x.}k.| | ce 9b 10 08 2d 3b fb fd c0 06 b5 68 fb b3 2c 0c |....-;.....h..,.| | 5c 13 21 35 5e b9 a5 b6 b1 6e f4 21 29 ad f1 9c |\.!5^....n.!)...| | 88 f2 b2 65 5c 17 fb 48 03 8a 68 37 8f fa aa 15 |...e\..H..h7....| | c5 4e cf f8 f5 b3 fc e0 82 1c 09 de 49 b3 c1 9b |.N..........I...| | fc 29 31 bf 64 34 e4 12 09 0c c4 b7 3f 59 37 8c |.)1.d4......?Y7.| | 4e 37 8c 9e 9a 86 b1 c2 66 65 fd 71 72 0d fd 5e |N7......fe.qr..^| | 77 f6 b1 e3 6f a9 14 ee f2 c1 22 d6 ce 91 c7 c5 |w...o.....".....| | 25 4e 14 d4 89 8f a7 a7 69 b7 f0 21 96 bd 7e 1a |%N......i..!..~.| | 2e e8 71 c0 87 ac 92 80 0e 60 8b 3a c1 08 06 38 |..q......`.:...8| | a3 03 |.. | Plaintext[370]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 33 0d 0a 43 6f 6e 6e 65 63 74 |th: 143..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 43 30 2c 30 78 30 32 20 2d 20 45 43 44 48 2d |xC0,0x02 - ECDH-| | 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 20 |ECDSA-RC4-SHA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| | 2f 45 43 44 53 41 20 41 75 3d 45 43 44 48 20 45 |/ECDSA Au=ECDH E| | 6e 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 |nc=RC4(128) Mac| | 3d 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 |=SHA1..| | 0f 32 78 9b 48 e5 17 5f 71 3e 4e b8 fc 93 5f 76 |.2x.H.._q>N..._v| | 68 66 |hf | checking mac (len 350, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | b3 da 0f 32 78 9b 48 e5 17 5f 71 3e 4e b8 fc 93 |...2x.H.._q>N...| | 5f 76 68 66 |_vhf | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 350, seq = 0, nxtseq = 350 association_find: TCP port 4479 found 0x34178c0 dissect_ssl3_record decrypted len 350 decrypted app data fragment[350]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 33 0d 0a 43 6f 6e 6e 65 63 74 |th: 143..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 43 30 2c 30 78 30 32 20 2d 20 45 43 44 48 2d |xC0,0x02 - ECDH-| | 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 20 |ECDSA-RC4-SHA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| | 2f 45 43 44 53 41 20 41 75 3d 45 43 44 48 20 45 |/ECDSA Au=ECDH E| | 6e 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 |nc=RC4(128) Mac| | 3d 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 |=SHA1 | dissect_ssl3_record found association 0x34178c0 dissect_ssl enter frame #57 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | 7b ee 1a 68 c4 f6 a0 50 ef ee ae 08 80 09 f1 3d |{..h...P.......=| | e0 8a 3d db 1e c9 |..=... | Plaintext[22]: | 01 00 61 42 44 21 e6 de a3 49 66 d6 70 0f 90 35 |..aBD!...If.p..5| | ba 4c e3 34 3a f4 |.L.4:. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 61 42 44 21 e6 de a3 49 66 d6 70 0f 90 35 ba 4c |aBD!...If.p..5.L| | e3 34 3a f4 |.4:. | ssl_decrypt_record: mac ok dissect_ssl enter frame #59 (first time) conversation = 0x7fb97956ba78, ssl_session = 0x7fb94d3cdcd0 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | bb fa eb a9 7a e0 bb b7 37 db 0b c8 6e c7 6b ce |....z...7...n.k.| | 1c 6f 22 6d 4f 0c |.o"mO. | Plaintext[22]: | 01 00 60 48 98 ac be 21 1b d0 f2 89 c5 22 d1 1f |..`H...!....."..| | 11 f1 63 2d a4 e4 |..c-.. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 60 48 98 ac be 21 1b d0 f2 89 c5 22 d1 1f 11 f1 |`H...!....."....| | 63 2d a4 e4 |c-.. | ssl_decrypt_record: mac ok dissect_ssl enter frame #64 (first time) ssl_session_init: initializing ptr 0x7fb94d3d0600 size 688 conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 317, ssl state 0x00 association_find: TCP port 42963 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:4483 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #66 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 749 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 66, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session master key retrieved dissect_ssl3_hnd_srv_hello found CIPHER 0xC007 -> state 0x37 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 26 f0 86 78 b7 11 5a 89 88 62 d8 c3 ee 82 7e 1b |&..x..Z..b....~.| | 8a 13 4c 43 f2 18 b1 e5 4e d0 27 69 2f 89 1a 40 |..LC....N.'i/..@| | 5e 53 2d f1 f5 3b df 6e 44 3d 5a d2 33 cd e0 63 |^S-..;.nD=Z.3..c| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e 23 3f c9 5e ee 0a 92 ea 66 7a b4 11 bf cc 02 |n#?.^....fz.....| | 61 62 36 63 19 ff 18 f4 bb d8 be 92 cb 52 34 c6 |ab6c.........R4.| | 6e fe 0d bb ea 44 df 8c 5a 20 59 7b f2 15 e5 80 |n....D..Z Y{....| | 2c 26 d4 b5 24 cf 19 67 05 5a 74 2e c6 |,&..$..g.Zt.. | hash out[72]: | f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| | c8 50 4e 2d af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 |.PN-.:p0.....LlX| | a7 ea 2a d1 8c f9 13 75 f2 20 d9 3b 6a c2 8a db |..*....u. .;j...| | c4 53 4b 09 69 80 ec 5c 64 bd 1d be 47 ef 4a 91 |.SK.i..\d...G.J.| | f8 59 2a f7 27 04 e5 bb |.Y*.'... | PRF out[72]: | f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| | c8 50 4e 2d af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 |.PN-.:p0.....LlX| | a7 ea 2a d1 8c f9 13 75 f2 20 d9 3b 6a c2 8a db |..*....u. .;j...| | c4 53 4b 09 69 80 ec 5c 64 bd 1d be 47 ef 4a 91 |.SK.i..\d...G.J.| | f8 59 2a f7 27 04 e5 bb |.Y*.'... | key expansion[72]: | f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| | c8 50 4e 2d af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 |.PN-.:p0.....LlX| | a7 ea 2a d1 8c f9 13 75 f2 20 d9 3b 6a c2 8a db |..*....u. .;j...| | c4 53 4b 09 69 80 ec 5c 64 bd 1d be 47 ef 4a 91 |.SK.i..\d...G.J.| | f8 59 2a f7 27 04 e5 bb |.Y*.'... | Client MAC key[20]: | f9 17 f3 4b 5c 20 45 3f 9b a8 0e a1 ee 8e f7 3a |...K\ E?.......:| | c8 50 4e 2d |.PN- | Server MAC key[20]: | af 3a 70 30 dd 17 8e d0 cd 4c 6c 58 a7 ea 2a d1 |.:p0.....LlX..*.| | 8c f9 13 75 |...u | Client Write key[16]: | f2 20 d9 3b 6a c2 8a db c4 53 4b 09 69 80 ec 5c |. .;j....SK.i..\| Server Write key[16]: | 64 bd 1d be 47 ef 4a 91 f8 59 2a f7 27 04 e5 bb |d...G.J..Y*.'...| Client Write IV[8]: | 01 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 14 00 00 00 00 00 00 00 |........ | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 record: offset = 71, reported_length_remaining = 678 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 480, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 76 length 476 bytes, remaining 556 record: offset = 556, reported_length_remaining = 193 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 179, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 561 length 175 bytes, remaining 740 record: offset = 740, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 745 length 0 bytes, remaining 749 dissect_ssl enter frame #68 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 122 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 70, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66efe0dbbea44df8c5a20597bf215e5802c26d4b524... looking for RSA pre-master4104286ee16f4b6aecb0bb4ee2040e2c93650b01f256d039... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e035f0cddbb9b4d52bec23d49e58691e0cce1bde6b4ded568c8c82a76 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed09828f0597ac302344b0c01622ea095760ec417a104182895f9d8f4 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31bb97a4be4e7eca41 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e233fc95eee0a92ea667ab411bfcc026162366319ff18f4bbd8be92cb E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66efe0dbbea44df8c5a20597bf215e5802c26d4b524cf1967055a742ec6 E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 found master secret in key log ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | e7 39 8c df 37 50 e1 0f e7 e1 d5 f7 ba f3 64 6a |.9..7P........dj| | f4 d2 bc 09 66 46 fe db b7 e1 1b c3 53 38 e1 52 |....fF......S8.R| | 4f 6b d2 04 93 78 99 09 69 f6 07 7c ea 50 32 02 |Ok...x..i..|.P2.| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6e 23 3f c9 5e ee 0a 92 ea 66 7a b4 11 bf cc 02 |n#?.^....fz.....| | 61 62 36 63 19 ff 18 f4 bb d8 be 92 cb 52 34 c6 |ab6c.........R4.| | 6e fe 0d bb ea 44 df 8c 5a 20 59 7b f2 15 e5 80 |n....D..Z Y{....| | 2c 26 d4 b5 24 cf 19 67 05 5a 74 2e c6 |,&..$..g.Zt.. | hash out[72]: | d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| | 81 78 0d 31 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c |.x.1.N....}.;..|| | 06 20 1b 03 11 90 26 1c 94 f5 4b ba ff 1e d4 18 |. ....&...K.....| | c3 4f d5 83 1e 60 f4 9b 84 cc cd 62 b8 b2 7b 6d |.O...`.....b..{m| | 01 3d 5d a2 a1 e7 01 f7 |.=]..... | PRF out[72]: | d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| | 81 78 0d 31 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c |.x.1.N....}.;..|| | 06 20 1b 03 11 90 26 1c 94 f5 4b ba ff 1e d4 18 |. ....&...K.....| | c3 4f d5 83 1e 60 f4 9b 84 cc cd 62 b8 b2 7b 6d |.O...`.....b..{m| | 01 3d 5d a2 a1 e7 01 f7 |.=]..... | key expansion[72]: | d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| | 81 78 0d 31 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c |.x.1.N....}.;..|| | 06 20 1b 03 11 90 26 1c 94 f5 4b ba ff 1e d4 18 |. ....&...K.....| | c3 4f d5 83 1e 60 f4 9b 84 cc cd 62 b8 b2 7b 6d |.O...`.....b..{m| | 01 3d 5d a2 a1 e7 01 f7 |.=]..... | Client MAC key[20]: | d0 31 1c f0 05 d2 4b 85 ad 2e 83 d9 c9 03 9b ee |.1....K.........| | 81 78 0d 31 |.x.1 | Server MAC key[20]: | 8f 4e bb c9 15 d5 7d c6 3b e6 e6 7c 06 20 1b 03 |.N....}.;..|. ..| | 11 90 26 1c |..&. | Client Write key[16]: | 94 f5 4b ba ff 1e d4 18 c3 4f d5 83 1e 60 f4 9b |..K......O...`..| Server Write key[16]: | 84 cc cd 62 b8 b2 7b 6d 01 3d 5d a2 a1 e7 01 f7 |...b..{m.=].....| Client Write IV[8]: | 00 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 20 33 72 03 00 00 00 00 | 3r..... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[0]: ssl_save_session stored master secret[48]: | e7 39 8c df 37 50 e1 0f e7 e1 d5 f7 ba f3 64 6a |.9..7P........dj| | f4 d2 bc 09 66 46 fe db b7 e1 1b c3 53 38 e1 52 |....fF......S8.R| | 4f 6b d2 04 93 78 99 09 69 f6 07 7c ea 50 32 02 |Ok...x..i..|.P2.| dissect_ssl3_handshake session keys successfully generated record: offset = 75, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 81, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | 28 9b be 39 c6 f9 e2 fd e4 9c 80 e1 59 dd f8 d1 |(..9........Y...| | 8f 23 bd b3 d1 de e7 4c 71 ca 5e 5b 93 b3 1c ac |.#.....Lq.^[....| | a2 48 52 78 |.HRx | Plaintext[36]: | 14 00 00 0c c9 21 36 4d 4e fb 81 d2 24 ba f5 89 |.....!6MN...$...| | 51 b4 28 e3 8b 14 c0 56 2f e9 5c fd b4 d4 d3 ef |Q.(....V/.\.....| | 05 f0 d2 15 |.... | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 51 b4 28 e3 8b 14 c0 56 2f e9 5c fd b4 d4 d3 ef |Q.(....V/.\.....| | 05 f0 d2 15 |.... | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #69 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 222 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 170, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 181, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | d4 b2 fc 4e 59 af c3 22 aa 44 f2 14 e9 26 1b 2f |...NY..".D...&./| | 9a 30 c2 df d2 0d 39 3c 06 df 1b 29 82 f5 5e 66 |.0....9<...)..^f| | 17 57 1c a4 |.W.. | Plaintext[36]: | 14 00 00 0c 83 32 af 4a 2f 42 9e 42 4c 73 3f 18 |.....2.J/B.BLs?.| | 06 00 31 d2 bf 9c 97 e4 81 33 39 00 7a 9e 13 01 |..1......39.z...| | 49 15 0d 02 |I... | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 06 00 31 d2 bf 9c 97 e4 81 33 39 00 7a 9e 13 01 |..1......39.z...| | 49 15 0d 02 |I... | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #70 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 98 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 93, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 93 Ciphertext[93]: | b5 b1 bf c0 92 39 5b 70 2b c9 60 79 4b e0 57 c8 |.....9[p+.`yK.W.| | f4 ba 6a 24 44 a5 43 58 bf ce 42 63 78 1a be ab |..j$D.CX..Bcx...| | c4 5a 71 f2 4f 71 63 8c e6 79 fa f1 03 71 f6 a3 |.Zq.Oqc..y...q..| | d2 57 c8 2f 3b 26 be c1 3a ef bb 98 ef 18 4d ae |.W./;&..:.....M.| | b2 e8 6a 4a 3d cc 8a 99 a8 b8 dc d4 a4 3a e9 18 |..jJ=........:..| | e2 25 7e 46 d4 f2 1e 2c 91 bf 00 99 78 |.%~F...,....x | Plaintext[93]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 63 64 68 65 2d 65 63 64 73 |Host: ecdhe-ecds| | 61 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e |a-rc4-sha.local.| | 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c |al.lekensteyn.nl| | 3a 34 34 38 33 0d 0a 0d 0a 18 d5 ec e2 1c 3d 66 |:4483.........=f| | 37 80 df 78 d7 62 51 48 aa f9 8b 20 3c |7..x.bQH... < | checking mac (len 73, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 18 d5 ec e2 1c 3d 66 37 80 df 78 d7 62 51 48 aa |.....=f7..x.bQH.| | f9 8b 20 3c |.. < | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 73, seq = 0, nxtseq = 73 association_find: TCP port 42963 found (nil) association_find: TCP port 4483 found 0x3417b00 dissect_ssl3_record decrypted len 73 decrypted app data fragment[73]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 63 64 68 65 2d 65 63 64 73 |Host: ecdhe-ecds| | 61 2d 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e |a-rc4-sha.local.| | 61 6c 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c |al.lekensteyn.nl| | 3a 34 34 38 33 0d 0a 0d 0a |:4483.... | dissect_ssl3_record found association 0x3417b00 dissect_ssl enter frame #71 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 374 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 369, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 369 Ciphertext[369]: | 82 38 03 c0 15 41 83 4d 0f 2e d4 7c 7c f9 1b 34 |.8...A.M...||..4| | 90 bf ff 3b c7 35 f0 01 5a 3d 53 ae b1 23 ea 5b |...;.5..Z=S..#.[| | cd af 7c ac 8f 35 dc f7 e4 18 5d c1 25 80 15 ae |..|..5....].%...| | 53 d3 95 0e d3 23 d6 14 5c f5 a6 a1 7d 8e 6e b8 |S....#..\...}.n.| | 41 36 e7 da 93 ba 76 f4 d3 2b dd 87 6c ce 5c 8b |A6....v..+..l.\.| | 78 ff e9 32 ed ec c4 91 e9 e2 c7 85 56 c9 ce f8 |x..2........V...| | 5b 13 7f de 80 a0 1b b1 4b 1b 36 f6 81 aa 19 2c |[.......K.6....,| | 80 c1 e5 9b 66 4b 23 7f ea a5 3b aa 41 9d 73 90 |....fK#...;.A.s.| | 8b 54 9e 17 de e3 31 69 69 44 00 31 b0 27 02 2e |.T....1iiD.1.'..| | c5 76 a8 65 90 e5 64 6a bc f8 1f ce 41 56 16 0b |.v.e..dj....AV..| | 65 34 8e e2 05 4c 01 5c ba ae eb ea dd 25 e0 75 |e4...L.\.....%.u| | 99 53 e7 ac d0 34 68 b5 15 1a f4 8c 9e 79 36 b3 |.S...4h......y6.| | 81 e6 df ef 22 bc 4d 35 ae ae 35 dc 46 cf 8d 1c |....".M5..5.F...| | a7 e3 c1 ff 40 11 4d aa 99 a5 11 b6 e5 ac 1d 3e |....@.M........>| | 2b 2e f3 62 36 b8 bb 83 61 f2 b7 77 0b ab 7f 6a |+..b6...a..w...j| | c2 e5 6f dd b3 23 29 2d 12 2f 83 6d ec 9e a6 e9 |..o..#)-./.m....| | 8e c2 e1 19 0b 9d 35 60 12 1a 83 87 ca 55 b2 1c |......5`.....U..| | 7e c4 95 ed e7 6a e7 f6 70 95 d7 b5 16 52 97 d3 |~....j..p....R..| | cc 6c 8a 31 de 67 eb 14 30 a5 fe fe 14 b0 26 67 |.l.1.g..0.....&g| | 2c 61 05 d3 9b d4 77 f0 98 55 15 7f b9 bf 27 61 |,a....w..U....'a| | 84 51 f7 69 c3 93 77 9d 0f 1f f3 c8 e2 c3 c4 f6 |.Q.i..w.........| | 72 07 be 3d 09 bd 8a 72 8e a2 bc ec 55 40 6c 19 |r..=...r....U@l.| | a4 6a f3 39 a8 0f 36 1a 87 6f 75 33 60 f3 b4 61 |.j.9..6..ou3`..a| | a5 |. | Plaintext[369]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 32 0d 0a 43 6f 6e 6e 65 63 74 |th: 142..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 43 30 2c 30 78 30 37 20 2d 20 45 43 44 48 45 |xC0,0x07 - ECDHE| | 2d 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 |-ECDSA-RC4-SHA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| | 20 20 20 20 20 41 75 3d 45 43 44 53 41 20 45 6e | Au=ECDSA En| | 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d |c=RC4(128) Mac=| | 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 |SHA1~.V| | 79 9d 68 5d 32 50 9a fc 53 e5 69 fa a0 5e 4c f6 |y.h]2P..S.i..^L.| | 67 |g | checking mac (len 349, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 7e 0b 56 79 9d 68 5d 32 50 9a fc 53 e5 69 fa a0 |~.Vy.h]2P..S.i..| | 5e 4c f6 67 |^L.g | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 349, seq = 0, nxtseq = 349 association_find: TCP port 4483 found 0x3417b00 dissect_ssl3_record decrypted len 349 decrypted app data fragment[349]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:22 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 32 0d 0a 43 6f 6e 6e 65 63 74 |th: 142..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 43 30 2c 30 78 30 37 20 2d 20 45 43 44 48 45 |xC0,0x07 - ECDHE| | 2d 45 43 44 53 41 2d 52 43 34 2d 53 48 41 20 20 |-ECDSA-RC4-SHA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| | 20 20 20 20 20 41 75 3d 45 43 44 53 41 20 45 6e | Au=ECDSA En| | 63 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d |c=RC4(128) Mac=| | 53 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 |SHA1 | dissect_ssl3_record found association 0x3417b00 dissect_ssl enter frame #72 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | a1 6f 18 3e ce 3a c6 ae d9 6f 80 2f 9f cd 61 fa |.o.>.:...o./..a.| | 50 78 2b 3c 85 c1 |Px+<.. | Plaintext[22]: | 01 00 72 54 76 f0 64 d9 f5 7b 8f bd 40 f5 a9 2e |..rTv.d..{..@...| | ad d3 21 d4 f9 14 |..!... | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 72 54 76 f0 64 d9 f5 7b 8f bd 40 f5 a9 2e ad d3 |rTv.d..{..@.....| | 21 d4 f9 14 |!... | ssl_decrypt_record: mac ok dissect_ssl enter frame #74 (first time) conversation = 0x7fb97956bdd0, ssl_session = 0x7fb94d3d0600 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | e5 af 1c 1f e0 ec aa cd 42 02 dd fc f9 36 78 e6 |........B....6x.| | 8e d1 fe 3d f0 48 |...=.H | Plaintext[22]: | 01 00 4b 4b 49 51 ed ba 72 1d 18 99 e9 4b 23 e6 |..KKIQ..r....K#.| | ae 9a 0f 2b b5 ab |...+.. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 4b 4b 49 51 ed ba 72 1d 18 99 e9 4b 23 e6 ae 9a |KKIQ..r....K#...| | 0f 2b b5 ab |.+.. | ssl_decrypt_record: mac ok dissect_ssl enter frame #79 (first time) ssl_session_init: initializing ptr 0x7fb94d3d2f10 size 688 conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 317, ssl state 0x00 association_find: TCP port 57651 found (nil) packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 packet_from_server: is from server - FALSE ssl_find_private_key server 127.0.0.1:4491 ssl_find_private_key can't find private key for this server! Try it again with universal port 0 ssl_find_private_key can't find private key for this server (universal port)! Try it again with universal address 0.0.0.0 ssl_find_private_key can't find any private key! dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01 dissect_ssl enter frame #81 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 1230 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 66, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 62 bytes, remaining 71 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_restore_session master key retrieved dissect_ssl3_hnd_srv_hello found CIPHER 0xC011 -> state 0x37 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | e7 39 8c df 37 50 e1 0f e7 e1 d5 f7 ba f3 64 6a |.9..7P........dj| | f4 d2 bc 09 66 46 fe db b7 e1 1b c3 53 38 e1 52 |....fF......S8.R| | 4f 6b d2 04 93 78 99 09 69 f6 07 7c ea 50 32 02 |Ok...x..i..|.P2.| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6f f5 72 18 16 e7 99 83 fc eb 41 bd 2f a7 36 98 |o.r.......A./.6.| | bf 06 09 85 5b fe 45 8c 85 8e 60 b9 e3 52 34 c6 |....[.E...`..R4.| | 6f 71 3a 14 92 79 33 aa 65 11 63 5d de b2 6c a1 |oq:..y3.e.c]..l.| | 55 13 a6 01 34 59 1d d5 27 e9 e8 5b c1 |U...4Y..'..[. | hash out[72]: | af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| | b5 71 03 e8 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 |.q..i.......[G_.| | 3f bd 6c b8 52 78 49 1f 00 eb 93 52 01 64 1a a6 |?.l.RxI....R.d..| | ff 7c 3f 9f 81 61 77 9b 32 49 44 4c 53 28 07 8f |.|?..aw.2IDLS(..| | 52 5a dd 6e 87 d8 e9 d4 |RZ.n.... | PRF out[72]: | af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| | b5 71 03 e8 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 |.q..i.......[G_.| | 3f bd 6c b8 52 78 49 1f 00 eb 93 52 01 64 1a a6 |?.l.RxI....R.d..| | ff 7c 3f 9f 81 61 77 9b 32 49 44 4c 53 28 07 8f |.|?..aw.2IDLS(..| | 52 5a dd 6e 87 d8 e9 d4 |RZ.n.... | key expansion[72]: | af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| | b5 71 03 e8 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 |.q..i.......[G_.| | 3f bd 6c b8 52 78 49 1f 00 eb 93 52 01 64 1a a6 |?.l.RxI....R.d..| | ff 7c 3f 9f 81 61 77 9b 32 49 44 4c 53 28 07 8f |.|?..aw.2IDLS(..| | 52 5a dd 6e 87 d8 e9 d4 |RZ.n.... | Client MAC key[20]: | af 1d f5 51 e1 8b 19 75 6e d4 11 11 77 7a 4a 40 |...Q...un...wzJ@| | b5 71 03 e8 |.q.. | Server MAC key[20]: | 69 f3 c0 19 a5 11 15 8b 5b 47 5f 85 3f bd 6c b8 |i.......[G_.?.l.| | 52 78 49 1f |RxI. | Client Write key[16]: | 00 eb 93 52 01 64 1a a6 ff 7c 3f 9f 81 61 77 9b |...R.d...|?..aw.| Server Write key[16]: | 32 49 44 4c 53 28 07 8f 52 5a dd 6e 87 d8 e9 d4 |2IDLS(..RZ.n....| Client Write IV[8]: | 01 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 14 00 00 00 00 00 00 00 |........ | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 record: offset = 71, reported_length_remaining = 1159 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 807, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 76 length 803 bytes, remaining 883 record: offset = 883, reported_length_remaining = 347 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 333, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 12 offset 888 length 329 bytes, remaining 1221 record: offset = 1221, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 1226 length 0 bytes, remaining 1230 dissect_ssl enter frame #83 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 122 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 70, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 trying to use SSL keylog in /tmp/snif/tls/works/premaster.txt looking for CLIENT_RANDOM 5234c66f713a14927933aa6511635ddeb26ca15513a60134... looking for RSA pre-master4104d14f1651aa51a05bd5c9d4b3c9f95882a8f671808b91... checking keylog line: CLIENT_RANDOM 5234c66d868de84097daee7e21c41d2e9fe9605f05b0ceaf7eb7958c33423fd5 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66d51c0ad1d27eb8be3ed76efe3209e04bf7d806842d63012058ed50e60 ED6402EABFA651B28A7B44ED8CCE91361D0145CA643F91D8DDD9D1C8EA62C238BA78146FB97798332820CD9F392ACFF8 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e95f5270d00e973709aa0b3dbd52a8023cac55ff8ff18262ab227e698 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed7431ad374c1699d8f911d241070e4afd8fba7c697ae5c8fa12ec184 3258F44EB700BE97764004AC92339CADA43E24159E567B8D4169ADBBC6485F756C51F952720B99FC81E16FD75CA886DC line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66eee73fea21eb7ef62cf264d205d6fcd7841f949adf80bc6c703e4c264 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e035f0cddbb9b4d52bec23d49e58691e0cce1bde6b4ded568c8c82a76 73725178335F5DFF0525C6480DC4A0EF917069E418DD54167A64C267D93C5B640883A2C80B60D4501F40E44286C1BF98 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66ed09828f0597ac302344b0c01622ea095760ec417a104182895f9d8f4 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e96876398ad6ecff1b3ffb758719bb51258eaea31bb97a4be4e7eca41 26F08678B7115A898862D8C3EE827E1B8A134C43F218B1E54ED027692F891A405E532DF1F53BDF6E443D5AD233CDE063 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66e233fc95eee0a92ea667ab411bfcc026162366319ff18f4bbd8be92cb E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66efe0dbbea44df8c5a20597bf215e5802c26d4b524cf1967055a742ec6 E7398CDF3750E10FE7E1D5F7BAF3646AF4D2BC096646FEDBB7E11BC35338E1524F6BD2049378990969F6077CEA503202 line does not match client random line does not match checking keylog line: CLIENT_RANDOM 5234c66f713a14927933aa6511635ddeb26ca15513a60134591dd527e9e85bc1 92CEACE9E21D204EF277392C265FEEE28E0220BE3309B601464AE2FED0C725FC8FD6C9A35C0CCA8091386BFC5FB17FD4 found master secret in key log ssl_generate_keyring_material sess key generation tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 ) tls_hash: hash secret[48]: | 92 ce ac e9 e2 1d 20 4e f2 77 39 2c 26 5f ee e2 |...... N.w9,&_..| | 8e 02 20 be 33 09 b6 01 46 4a e2 fe d0 c7 25 fc |.. .3...FJ....%.| | 8f d6 c9 a3 5c 0c ca 80 91 38 6b fc 5f b1 7f d4 |....\....8k._...| tls_hash: hash seed[77]: | 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 52 34 c6 |key expansionR4.| | 6f f5 72 18 16 e7 99 83 fc eb 41 bd 2f a7 36 98 |o.r.......A./.6.| | bf 06 09 85 5b fe 45 8c 85 8e 60 b9 e3 52 34 c6 |....[.E...`..R4.| | 6f 71 3a 14 92 79 33 aa 65 11 63 5d de b2 6c a1 |oq:..y3.e.c]..l.| | 55 13 a6 01 34 59 1d d5 27 e9 e8 5b c1 |U...4Y..'..[. | hash out[72]: | 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| | 32 b1 b2 49 dc 61 63 b4 b4 75 6c d3 78 87 27 22 |2..I.ac..ul.x.'"| | df 87 17 e3 ee db 0c 00 e5 05 89 4e 06 1c 38 18 |...........N..8.| | 04 1a a8 29 cf 92 f9 cd a2 f1 21 88 9d 01 6c b5 |...)......!...l.| | 68 46 dc 59 06 24 74 54 |hF.Y.$tT | PRF out[72]: | 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| | 32 b1 b2 49 dc 61 63 b4 b4 75 6c d3 78 87 27 22 |2..I.ac..ul.x.'"| | df 87 17 e3 ee db 0c 00 e5 05 89 4e 06 1c 38 18 |...........N..8.| | 04 1a a8 29 cf 92 f9 cd a2 f1 21 88 9d 01 6c b5 |...)......!...l.| | 68 46 dc 59 06 24 74 54 |hF.Y.$tT | key expansion[72]: | 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| | 32 b1 b2 49 dc 61 63 b4 b4 75 6c d3 78 87 27 22 |2..I.ac..ul.x.'"| | df 87 17 e3 ee db 0c 00 e5 05 89 4e 06 1c 38 18 |...........N..8.| | 04 1a a8 29 cf 92 f9 cd a2 f1 21 88 9d 01 6c b5 |...)......!...l.| | 68 46 dc 59 06 24 74 54 |hF.Y.$tT | Client MAC key[20]: | 83 51 26 4e 2d c4 58 de 68 b8 43 5e 36 0e 70 90 |.Q&N-.X.h.C^6.p.| | 32 b1 b2 49 |2..I | Server MAC key[20]: | dc 61 63 b4 b4 75 6c d3 78 87 27 22 df 87 17 e3 |.ac..ul.x.'"....| | ee db 0c 00 |.... | Client Write key[16]: | e5 05 89 4e 06 1c 38 18 04 1a a8 29 cf 92 f9 cd |...N..8....)....| Server Write key[16]: | a2 f1 21 88 9d 01 6c b5 68 46 dc 59 06 24 74 54 |..!...l.hF.Y.$tT| Client Write IV[8]: | 00 00 00 00 00 00 00 00 |........ | Server Write IV[8]: | 40 35 72 03 00 00 00 00 |@5r..... | ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 20) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[0]: ssl_save_session stored master secret[48]: | 92 ce ac e9 e2 1d 20 4e f2 77 39 2c 26 5f ee e2 |...... N.w9,&_..| | 8e 02 20 be 33 09 b6 01 46 4a e2 fe d0 c7 25 fc |.. .3...FJ....%.| | 8f d6 c9 a3 5c 0c ca 80 91 38 6b fc 5f b1 7f d4 |....\....8k._...| dissect_ssl3_handshake session keys successfully generated record: offset = 75, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 81, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | 2b 0a f5 42 af d7 15 1d 3f 4c c4 40 71 6f 3a e1 |+..B....?L.@qo:.| | 09 a1 a3 7d a0 7c 39 35 6c f0 67 9f 5c 8b c4 10 |...}.|95l.g.\...| | ea 8b 65 2b |..e+ | Plaintext[36]: | 14 00 00 0c 36 6b 9b 1f 52 e9 70 b4 16 02 78 03 |....6k..R.p...x.| | e9 b5 14 e1 69 bb 25 4b 18 94 5d a0 54 e1 b5 00 |....i.%K..].T...| | f4 0a 67 74 |..gt | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | e9 b5 14 e1 69 bb 25 4b 18 94 5d a0 54 e1 b5 00 |....i.%K..].T...| | f4 0a 67 74 |..gt | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #84 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 222 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 170, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 47 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 181, reported_length_remaining = 41 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 36, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 36 Ciphertext[36]: | 9d 19 6f a0 2d 33 42 8e 24 72 94 7f e0 52 05 91 |..o.-3B.$r...R..| | 9a 19 63 77 56 2d c0 c4 22 ef a2 80 09 d8 93 ab |..cwV-..".......| | ff 2b dd 04 |.+.. | Plaintext[36]: | 14 00 00 0c ed c0 d1 2a 8d 7c 12 be 6b b7 0a 72 |.......*.|..k..r| | 10 6f 38 97 f8 44 6b d0 c3 cd 92 16 38 a4 f9 06 |.o8..Dk.....8...| | 40 2e 41 98 |@.A. | checking mac (len 16, version 303, ct 22 seq 0) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 10 6f 38 97 f8 44 6b d0 c3 cd 92 16 38 a4 f9 06 |.o8..Dk.....8...| | 40 2e 41 98 |@.A. | ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #85 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 96 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 91, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 91 Ciphertext[91]: | 60 97 53 c5 c4 13 c8 01 99 28 ee ce df 78 25 b3 |`.S......(...x%.| | e1 da 6f 8b 34 b1 af 21 a0 e6 0a 12 c5 fe b0 13 |..o.4..!........| | c0 0a c9 de 38 06 a0 8c b4 de a0 4a 96 60 c0 0e |....8......J.`..| | 95 fc 7b 68 69 07 d2 89 02 bd 96 b2 54 f2 4d c8 |..{hi.......T.M.| | 98 a1 06 c0 73 6d 0d 89 57 7f 13 4d 42 cd 5c 65 |....sm..W..MB.\e| | 88 aa 3c cd c1 41 63 90 7b 55 61 |..<..Ac.{Ua | Plaintext[91]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 63 64 68 65 2d 72 73 61 2d |Host: ecdhe-rsa-| | 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 6c |rc4-sha.local.al| | 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a 34 |.lekensteyn.nl:4| | 34 39 31 0d 0a 0d 0a 8d 37 a3 57 b7 34 8a 87 09 |491.....7.W.4...| | e2 4e 07 57 7a 18 0b fd ae f4 e2 |.N.Wz...... | checking mac (len 71, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 8d 37 a3 57 b7 34 8a 87 09 e2 4e 07 57 7a 18 0b |.7.W.4....N.Wz..| | fd ae f4 e2 |.... | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 71, seq = 0, nxtseq = 71 association_find: TCP port 57651 found (nil) association_find: TCP port 4491 found 0x3417f80 dissect_ssl3_record decrypted len 71 decrypted app data fragment[71]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 63 64 68 65 2d 72 73 61 2d |Host: ecdhe-rsa-| | 72 63 34 2d 73 68 61 2e 6c 6f 63 61 6c 2e 61 6c |rc4-sha.local.al| | 2e 6c 65 6b 65 6e 73 74 65 79 6e 2e 6e 6c 3a 34 |.lekensteyn.nl:4| | 34 39 31 0d 0a 0d 0a |491.... | dissect_ssl3_record found association 0x3417f80 dissect_ssl enter frame #86 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 373 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 368, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 368 Ciphertext[368]: | 13 e1 d1 ca 3d 4a 7a 4e f3 af 8e f8 d6 e7 ae 83 |....=JzN........| | 78 a0 75 a2 eb e1 d3 14 63 7c d6 7d f7 16 77 c0 |x.u.....c|.}..w.| | ab 07 d5 a9 24 15 06 b8 5b ca 60 f2 8a 8e 61 d4 |....$...[.`...a.| | 2c 2e 02 a9 5f 02 de de 3b be 5f 0b ee 69 72 09 |,..._...;._..ir.| | 4d 65 99 e4 10 75 10 12 73 c3 c3 18 91 12 ca 03 |Me...u..s.......| | a9 75 a7 c5 50 7b fd 22 6f ac ed 5b 2e 3d 0d 9b |.u..P{."o..[.=..| | 05 b1 a8 0f 98 80 39 52 4c 84 f2 18 f3 99 e2 f9 |......9RL.......| | 8f 58 7f 10 0c 79 5d b2 0d 5f df e5 a4 cb 9a 35 |.X...y].._.....5| | c4 d8 33 00 f2 dd 30 71 2e 34 41 58 b1 f7 25 2b |..3...0q.4AX..%+| | e7 3b a5 f4 0e 7b 8c cb 15 cf c8 79 8f d9 bb 6e |.;...{.....y...n| | 57 86 70 7b 03 c5 1d d2 e7 6e e0 89 26 12 cc 53 |W.p{.....n..&..S| | e4 f1 10 66 6f 4f 0e 7c 32 a0 72 78 ab 20 a6 59 |...foO.|2.rx. .Y| | 54 a2 b0 2b e8 ca 10 93 b9 84 6f 62 4d 78 6a d4 |T..+......obMxj.| | 2a 8d c1 17 b3 de b2 6f ae 52 88 bc 57 4e 20 5d |*......o.R..WN ]| | e9 04 fd 6d d5 91 46 e0 9c 89 2f f9 d0 21 9d 31 |...m..F.../..!.1| | 49 1a 69 49 ec 44 50 1f 6b 39 76 4b a1 37 3f c8 |I.iI.DP.k9vK.7?.| | 88 73 b4 7c 7e ed 01 95 1a a9 87 b9 b4 be 72 d0 |.s.|~.........r.| | 2e 0d 4d 37 9a ff 2a 02 bb a2 61 6c de db 03 0c |..M7..*...al....| | 78 ab c7 0b 28 48 ac 44 c3 00 5d 4c a2 a8 e0 e1 |x...(H.D..]L....| | f3 c0 80 f0 05 e4 24 7e 77 81 a6 77 45 12 9c 75 |......$~w..wE..u| | cb 81 98 dc d8 19 21 bf 19 92 a3 16 50 0f 12 bc |......!.....P...| | 26 37 aa e6 f2 40 3a 05 45 45 7a 0e c5 e1 1b c2 |&7...@:.EEz.....| | df 73 8d 4d 96 c8 fc 2d 0c fb 6a 20 8d 4f 6b 85 |.s.M...-..j .Ok.| Plaintext[368]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:23 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 43 30 2c 30 78 31 31 20 2d 20 45 43 44 48 45 |xC0,0x11 - ECDHE| | 2d 52 53 41 2d 52 43 34 2d 53 48 41 20 20 20 20 |-RSA-RC4-SHA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| | 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| | 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| | 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1.>..| | 1b 3f 94 3a 68 89 7e 8b cb 4a 9b 76 0f 36 d5 92 |.?.:h.~..J.v.6..| checking mac (len 348, version 303, ct 23 seq 1) tls_check_mac mac type:SHA1 md 2 Mac[20]: | 88 3e fc 19 1b 3f 94 3a 68 89 7e 8b cb 4a 9b 76 |.>...?.:h.~..J.v| | 0f 36 d5 92 |.6.. | ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 348, seq = 0, nxtseq = 348 association_find: TCP port 4491 found 0x3417f80 dissect_ssl3_record decrypted len 348 decrypted app data fragment[348]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:23 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 141..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 43 30 2c 30 78 31 31 20 2d 20 45 43 44 48 45 |xC0,0x11 - ECDHE| | 2d 52 53 41 2d 52 43 34 2d 53 48 41 20 20 20 20 |-RSA-RC4-SHA | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 45 43 44 48 | SSLv3 Kx=ECDH| | 20 20 20 20 20 41 75 3d 52 53 41 20 20 45 6e 63 | Au=RSA Enc| | 3d 52 43 34 28 31 32 38 29 20 20 4d 61 63 3d 53 |=RC4(128) Mac=S| | 48 41 31 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d |HA1 | dissect_ssl3_record found association 0x3417f80 dissect_ssl enter frame #87 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | ce 81 38 7e 9d d0 c6 b4 d2 0e a2 0c 0f 8b 04 83 |..8~............| | 85 36 13 93 de dc |.6.... | Plaintext[22]: | 01 00 e3 6f 58 8c c2 2f d8 22 98 40 2a ef 28 86 |...oX../.".@*.(.| | 32 da 03 7e dc ae |2..~.. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | e3 6f 58 8c c2 2f d8 22 98 40 2a ef 28 86 32 da |.oX../.".@*.(.2.| | 03 7e dc ae |.~.. | ssl_decrypt_record: mac ok dissect_ssl enter frame #89 (first time) conversation = 0x7fb97956c128, ssl_session = 0x7fb94d3d2f10 record: offset = 0, reported_length_remaining = 27 dissect_ssl3_record: content_type 21 Alert decrypt_ssl3_record: app_data len 22, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 22 Ciphertext[22]: | 76 94 99 f9 cc f0 65 88 de a2 85 ef 48 e9 22 a3 |v.....e.....H.".| | 22 75 50 fb 1c 5a |"uP..Z | Plaintext[22]: | 01 00 d7 3f 33 08 b6 93 fb 2e 51 3c 92 9d 60 7b |...?3.....Q<..`{| | 6c 0c d1 99 43 f4 |l...C. | checking mac (len 2, version 303, ct 21 seq 2) tls_check_mac mac type:SHA1 md 2 Mac[20]: | d7 3f 33 08 b6 93 fb 2e 51 3c 92 9d 60 7b 6c 0c |.?3.....Q<..`{l.| | d1 99 43 f4 |..C. | ssl_decrypt_record: mac ok dissect_ssl enter frame #4 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 322 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 313 bytes, remaining 322 dissect_ssl enter frame #6 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 1224 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 54 bytes, remaining 63 record: offset = 63, reported_length_remaining = 1161 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 11 offset 68 length 803 bytes, remaining 875 record: offset = 875, reported_length_remaining = 349 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 12 offset 880 length 331 bytes, remaining 1215 record: offset = 1215, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 14 offset 1220 length 0 bytes, remaining 1224 dissect_ssl enter frame #8 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 118 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 16 offset 5 length 66 bytes, remaining 75 record: offset = 75, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 81, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #9 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 218 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 4 offset 5 length 166 bytes, remaining 175 record: offset = 175, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 181, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 dissect_ssl enter frame #10 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 86 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 40347 found (nil) association_find: TCP port 4434 found 0x33e0300 dissect_ssl3_record decrypted len 65 decrypted app data fragment[65]: | 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..| | 48 6f 73 74 3a 20 65 78 70 2d 72 63 34 2d 6d 64 |Host: exp-rc4-md| | 35 2e 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 6e |5.local.al.leken| | 73 74 65 79 6e 2e 6e 6c 3a 34 34 33 34 0d 0a 0d |steyn.nl:4434...| | 0a |. | dissect_ssl3_record found association 0x33e0300 dissect_ssl enter frame #11 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 376 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 4434 found 0x33e0300 dissect_ssl3_record decrypted len 355 decrypted app data fragment[355]: | 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.| | 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 |.Server: nginx/1| | 2e 34 2e 32 0d 0a 44 61 74 65 3a 20 53 61 74 2c |.4.2..Date: Sat,| | 20 31 34 20 53 65 70 20 32 30 31 33 20 32 30 3a | 14 Sep 2013 20:| | 32 36 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 |26:21 GMT..Conte| | 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht| | 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng| | 74 68 3a 20 31 34 38 0d 0a 43 6f 6e 6e 65 63 74 |th: 148..Connect| | 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 45 78 70 69 |ion: close..Expi| | 72 65 73 3a 20 54 68 75 2c 20 30 31 20 4a 61 6e |res: Thu, 01 Jan| | 20 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 | 1970 00:00:01 G| | 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| | 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 30 |l: no-cache....0| | 78 30 30 2c 30 78 30 33 20 2d 20 45 58 50 2d 52 |x00,0x03 - EXP-R| | 43 34 2d 4d 44 35 20 20 20 20 20 20 20 20 20 20 |C4-MD5 | | 20 20 20 53 53 4c 76 33 20 4b 78 3d 52 53 41 28 | SSLv3 Kx=RSA(| | 35 31 32 29 20 41 75 3d 52 53 41 20 20 45 6e 63 |512) Au=RSA Enc| | 3d 52 43 34 28 34 30 29 20 20 20 4d 61 63 3d 4d |=RC4(40) Mac=M| | 44 35 20 20 65 78 70 6f 72 74 3c 73 63 72 69 70 |D5 exportdocument.domai| | 6e 3d 27 6c 6f 63 61 6c 2e 61 6c 2e 6c 65 6b 65 |n='local.al.leke| | 6e 73 74 65 79 6e 2e 6e 6c 27 3c 2f 73 63 72 69 |nsteyn.nl' | dissect_ssl3_record found association 0x33e0300 dissect_ssl enter frame #12 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 23 dissect_ssl3_record: content_type 21 Alert dissect_ssl enter frame #14 (already visited) conversation = 0x7fb97956b088, ssl_session = (nil) record: offset = 0, reported_length_remaining = 23 dissect_ssl3_record: content_type 21 Alert