[Samba] Wireshark LDAP capture vs Diffie-Hellman / pre-master secret - key log file

Jonathan Hunter jmhunter1 at gmail.com
Mon Sep 7 21:06:56 UTC 2020 

Hi,

I am trying to debug a new (to me) printer, that should be able to use
AD (for LDAP / address book lookups as well as authentication).

It's been a while since I needed to dump traffic with wireshark; and
evidently it's got harder since I last tried :)

I have generated a wireshark dump on my DC, to see what the printer is
trying to do, using:
dc1$ sudo tcpdump host myprinter and port ldap -w myprinter.cap

This fills up with data - great. ("159 packets received by filter, 0
packets dropped by kernel")

As per https://wiki.wireshark.org/TLS I tried copying across
/usr/local/samba/private/tls/key.pem to the machine running
Wireshark.. but after enabling the Wireshark TLS dissector debug file
I can see:

ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted
pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key
exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted
pre-master secret
dissect_ssl3_handshake can't generate pre master secret

The Wireshark documentation talks a lot about a key log file that I
would need to get from Samba (in other apps it's using the
SSLKEYLOGFILE environment variable) - but I can't find any references
or documentation as to how (if at all) I can configure my Samba AD DC
to generate one of these files.

Has anyone had any success with Samba, Wireshark and Diffie-Hellman in
this scenario? From the packet dump I can see that the printer starts
a TLS session but then I can't get further to see what it's doing
next.

(Or - is anyone successfully using a Xerox 7835 and can share tips on
how to configure it / samba? :) )

Cheers,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list