Skip to content

Fix NSS KeyLog cannot decrypt TLS1.3 traffic. #4767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix NSS KeyLog cannot decrypt TLS1.3 traffic. #4767

wants to merge 2 commits into from

Conversation

hyunel
Copy link

@hyunel hyunel commented Jun 9, 2025
edited
Loading

Checklist:

  • If you are new to Scapy: I have checked CONTRIBUTING.md (esp. section submitting-pull-requests)
  • I squashed commits belonging together
  • I added unit tests or explained why they are not relevant
  • I executed the regression tests (using cd test && ./run_tests or tox)
  • If the PR is still not finished, please create a Draft Pull Request

fixes #3374

@guedou
Copy link
Member

guedou commented Jun 9, 2025

Thanks for this PR. Could you add a unit test? You can have a look at the file tls.uts to check how it is done for TLS 1.2

@hyunel
Copy link
Author

hyunel commented Jun 10, 2025

Thanks for this PR. Could you add a unit test? You can have a look at the file tls.uts to check how it is done for TLS 1.2

Hi guedou,

Thanks for the feedback. I've added the unit test.
However, I noticed an issue: rdpcap fails to decrypt TLS 1.3 traffic, logging:

TLS: record integrity check failed [00:00:00:00:00:00 > 00:00:00:00:00:00 (IPv4)]

This doesn't happen with sniff(offline="/path/to/pcap", session=TCPSession), which works correctly.
I'm not very familiar with this part of the library. Could you please help investigate the cause?

@codecov Codecov
Copy link

codecov bot commented Jun 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.26%. Comparing base (cbb09c4) to head (bbeb573).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #4767   +/-   ##
=======================================
  Coverage   81.26%   81.26%           
=======================================
  Files         363      363           
  Lines       88325    88342   +17     
=======================================
+ Hits        71773    71791   +18     
+ Misses      16552    16551    -1
Files with missing lines Coverage Δ
scapy/layers/tls/session.py 86.63% <100.00%> (-0.41%) ⬇️

... and 8 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@guedou
Copy link
Member

guedou commented Jun 10, 2025

Thanks for the update. I think that it is better to keep the TLS1.2 tests in /test/scapy/layers/tls/tls.uts and add the new ones into /test/scapy/layers/tls/tls13.uts That will ensure that both are tested and working.

Your fix (i.e. using sniff()) is correct, as the error is caused by a TCP segment that is not re-fragmented: the integrity cannot be checked as the complete TLS Record is not processed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hyunel @guedou