TLS 1.2: Decryption failure with a Session Ticket
os12 opened this issue · comments
Oleg Smolsky commented
Overview
Just found an issue with TLS 1.2 Session Tickets. Consider the following:
1 1 0.0180 (0.0180) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
.....
compression methods
NULL
extensions
server_name
host_name: www.googleapis.com
status_request
supported_groups
supported group x25519
supported group secp256r1
supported group secp384r1
ec_point_formats
ec point format uncompressed
signature_algorithms
session_ticket
extended_master_secret
renegotiation_info
1 2 0.0540 (0.0360) S>C Handshake
ServerHello
Version 3.3
session_id[0]=
cipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
compressionMethod NULL
extensions
extended_master_secret
renegotiation_info
ec_point_formats
1 3 0.0540 (0.0000) S>C ChangeCipherSpec
1 4 0.0540 (0.0000) S>C Handshake
1 5 0.0550 (0.0010) C>S ChangeCipherSpec
1 6 0.0550 (0.0000) C>S Handshake
1 7 0.0710 (0.0160) C>S application_data
Analysis
Wireshark is able to decrypt this TLS 1.2 traffic with the previously captured secret (it's a CLIENT_RANDOM
record, of course).
The issue with ssldump
is that ssl_process_client_key_exchange()
never runs because there is no "client key exchange" method.