Skip to content

Wireshark fails to decrypt QUIC capture if QUIC connection are rotated to quickly

Summary

QUIC transfers can be decrypted by Wireshark if an SSLKEYLOG file is provided. However, if implementations switch QUIC Connection IDs too quickly, this breaks: Wireshark claims that it's not able to decrypt the trace.

There are good reasons to switch connection IDs right after the handshake: The connection IDs negotiated during the handshake don't have stateless reset tokens associated with them. By switching to a connection ID sent in a NEW_CONNECTION_ID frame (which contains a stateless reset token), endpoints can make sure that all 1-RTT packets sent will trigger a stateless reset, should the remote node crash. quic-go therefore immediately switches to a new connection ID after completion of the handshake.

I'm not really sure why this is, but I suspect that this is due to the fact that it doesn't correctly associate the QUIC packets with the connection.

Steps to reproduce

Practically any quic-go - quic-go QUIC transfer exhibits this behavior. Up-to-date key logs, pcaps and qlogs are generated by the QUIC Interop Runner: https://interop.seemann.io/.

The QUIC Interop Runner also proves that the keys exported by quic-go are correct. For example, one can take any transfer between quic-go and neqo, and compare the keys between the two implementations: they match exactly.

What is the current bug behavior?

Wireshark is not able to decrypt 1-RTT packets.

What is the expected correct behavior?

Wireshark should be able to decrypt the trace.

Sample capture file

keys.log.txt

quic-go.pcap

Relevant logs and/or screenshots

image

Build information

Version 4.2.6 (v4.2.6-0-g2acd1a854bab).

Compiled (64-bit) using Clang 14.0.3 (clang-1403.0.22.14.1), with GLib 2.76.6,
with Qt 6.2.4, with libpcap, without POSIX capabilities, with zlib 1.2.11, with
PCRE2, with Lua 5.4.6, with GnuTLS 3.8.4 and PKCS #11 support, with Gcrypt
1.10.2, with Kerberos (MIT), with MaxMind, with nghttp2 1.56.0, with nghttp3
0.15.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.11.5,
with libsmi 0.4.8, with QtMultimedia, with automatic updates using Sparkle, with
Minizip, with binary plugins.

Running on macOS 14.5, build 23F79 (Darwin 23.5.0), with Apple M3 Max, with
65536 MB of physical memory, with GLib 2.76.6, with Qt 6.2.4, with libpcap
1.10.1, with zlib 1.2.12, with PCRE2 10.39 2021-10-29, with c-ares 1.19.1, with
GnuTLS 3.8.4, with Gcrypt 1.10.2, with nghttp2 1.56.0, with nghttp3 0.15.0, with
brotli 1.0.9, with LZ4 1.9.4, with Zstandard 1.5.5, with libsmi 0.4.8, with dark
display mode, with HiDPI, with QPA plugin "cocoa", with LC_TYPE=C, binary
plugins supported.
Edited by Marten Seemann
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information