Skip to content

Fix NSS KeyLog cannot decrypt TLS1.3 traffic. #4767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix NSS KeyLog cannot decrypt TLS1.3 traffic. #4767

wants to merge 2 commits into from

Conversation

hyunel
Copy link

@hyunel hyunel commented Jun 9, 2025
edited
Loading

Checklist:

  • If you are new to Scapy: I have checked CONTRIBUTING.md (esp. section submitting-pull-requests)
  • I squashed commits belonging together
  • I added unit tests or explained why they are not relevant
  • I executed the regression tests (using cd test && ./run_tests or tox)
  • If the PR is still not finished, please create a Draft Pull Request

fixes #3374

@hyunel hyunel force-pushed the master branch 2 times, most recently from d2f40aa to 998bdc1 Compare June 9, 2025 07:50
@guedou
Copy link
Member

guedou commented Jun 9, 2025

Thanks for this PR. Could you add a unit test? You can have a look at the file tls.uts to check how it is done for TLS 1.2

@hyunel
Copy link
Author

hyunel commented Jun 10, 2025

Thanks for this PR. Could you add a unit test? You can have a look at the file tls.uts to check how it is done for TLS 1.2

Hi guedou,

Thanks for the feedback. I've added the unit test.
However, I noticed an issue: rdpcap fails to decrypt TLS 1.3 traffic, logging:

TLS: record integrity check failed [00:00:00:00:00:00 > 00:00:00:00:00:00 (IPv4)]

This doesn't happen with sniff(offline="/path/to/pcap", session=TCPSession), which works correctly.
I'm not very familiar with this part of the library. Could you please help investigate the cause?

@codecov Codecov
Copy link

codecov bot commented Jun 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.02%. Comparing base (cbb09c4) to head (6b94114).
Report is 20 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4767      +/-   ##
==========================================
- Coverage   81.26%   81.02%   -0.24%     
==========================================
  Files         363      365       +2     
  Lines       88325    89068     +743     
==========================================
+ Hits        71773    72167     +394     
- Misses      16552    16901     +349
Files with missing lines Coverage Δ
scapy/layers/tls/session.py 86.77% <100.00%> (-0.27%) ⬇️

... and 46 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@guedou
Copy link
Member

guedou commented Jun 10, 2025

Thanks for the update. I think that it is better to keep the TLS1.2 tests in /test/scapy/layers/tls/tls.uts and add the new ones into /test/scapy/layers/tls/tls13.uts That will ensure that both are tested and working.

Your fix (i.e. using sniff()) is correct, as the error is caused by a TCP segment that is not re-fragmented: the integrity cannot be checked as the complete TLS Record is not processed.

gpotter2
gpotter2 previously approved these changes Jul 11, 2025
View reviewed changes
@guedou
Copy link
Member

guedou commented Jul 12, 2025

@hyunel can you fix the linting errors?
The lines that you added in scapy/layers/tls/session.py are too long.

guedou
guedou reviewed Jul 12, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guedou guedou guedou left review comments

@gpotter2 gpotter2 gpotter2 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hyunel @guedou @gpotter2