EXCEPTION: Error: Couldn't Select TLS or SSL based on Version Info

Aug 21, 2013 at 8:12 AM
Hi there,

I've been trying to use NmDecrypt to troubleshoot some issues with our new Lync 2013 install - unfortunately the NmDecrypt Expert keeps failing with the error :

EXCEPTION: Error: Couldn't Select TLS or SSL based on Version Info

Enclosed is the entire log file, which is particularly short and terse. The only real issue I can see with it is the warning about the version of parsers which I have installed currently being a later version that the ones which NmDecrypt is expecting. I'm not sure how to roll these back to an earlier version in case this is the real problem.
-.-.-.-.-.-.- SSL Decryption Log -.-.-.-.-.-.-

Log Created On: 21/08/2013 08:04:00

NMDecrypt Version: 2.3.4.0
NMAPIs Initialized.
Initializing Netmon Parsers...
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\64BAA24A-0AAD-44e6-9846-3BE43D698FF6\sparser.npb.
Netmon Parsers initialized successfully.
Adding SSLVersionSelector Display Filter...
Display Filter added successfully
Adding Conversation.TCP.Id == 78 Conversation Filter...
Conversation Filter, Conversation.TCP.Id == 78 added successfully
SSL Version Filter added successfully
Adding Conversation.TCP.Id == 78 Conversation Filter...
Eval Parser Conversation Filter, Conversation.TCP.Id == 78 added successfully
This Netmon Version is supported
****Warning***: We've tested with version: 03.04.2748.0001.  Your version is: 03.04.2978.0001 0000. This might cause problems if the TLS/SSL parsers have changed significantly.
Opening Encrypted Capture File: \\eurfiler6home.fm.rbsgrp.net\ChildbA\MyGEOSProfile\FDR\MyDocuments\Network Monitor 3\Captures\Lync2013_02.cap
Creating Decrypted Capture File: \\eurfiler6home.fm.rbsgrp.net\ChildbA\MyGEOSProfile\FDR\MyDocuments\Network Monitor 3\Captures\Lync2013_02_Decrypt.cap
Proposing Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData
EXCEPTION: Error: Couldn't Select TLS or SSL based on Version Info
Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.
This SSL version is not supported.

-.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-
Any tips on what to try next are gratefully received!
Nov 18, 2013 at 4:11 PM
Sorry I didn't see this early. Do you know what version of TLS you are trying to decrypt. We only support up to TLS1.1, so perhaps that's the issue?

Thanks,

Paul
Nov 26, 2013 at 10:19 AM
Hi Poul and GodEaster,

I have the same problem I think
Using:
  • Network monitor 3.4.2350.0
  • Parser profile Default version 03.04.2748.01
  • NMDecrypt 2.3.4
The Lync 2013 TCP stream have been configured to use TLS 1.1 and not the default TLS 1.2

My log file with no warnings:
-.-.-.-.-.-.- SSL Decryption Log -.-.-.-.-.-.-

Log Created On: 26-11-2013 11:14:23

NMDecrypt Version: 2.3.4.0
NMAPIs Initialized.
Initializing Netmon Parsers...
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\64BAA24A-0AAD-44e6-9846-3BE43D698FF6\sparser.npb.
Netmon Parsers initialized successfully.
Adding SSLVersionSelector Display Filter...
Display Filter added successfully
Adding Conversation.TCP.Id == 2 Conversation Filter...
Conversation Filter, Conversation.TCP.Id == 2 added successfully
SSL Version Filter added successfully
Adding Conversation.TCP.Id == 2 Conversation Filter...
Eval Parser Conversation Filter, Conversation.TCP.Id == 2 added successfully
This Netmon Version is supported
Opening Encrypted Capture File: C:\Users\xxx\Desktop\Test.cap
Creating Decrypted Capture File: C:\Users\xxx\Desktop\Decrypt.cap
Proposing Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData
EXCEPTION: Error: Couldn't Select TLS or SSL based on Version Info
Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.
This SSL version is not supported.

-.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-
Any help is appreciated?
Mar 25, 2014 at 12:31 AM
Sorry for the delayed response. I can't say for sure what the issue is for your case. Normally at this point I need the capture to understand how we got to this point. If that's possible, let me know and I can try to take a look.

Paul
Mar 25, 2014 at 8:17 AM
You replied to this already ages ago, and told me it's because of the version of TLS in use.


Mar 25, 2014 at 1:43 PM
I see now that a new user, Daje, responded on top of my reply. I suppose this response is for him.

Paul
Nov 7, 2014 at 11:10 AM
I found this error on plain HTTPS traffic. The problem appears to be in parsing the client hello message, there are two fields which match Version.Major and Version.Minor. One is the TLS version and the other is the client hello version. The client hello version occurs second so it overwrites the TLS version. Client Hello version in my case was 3.3 while TLS was version 3.1. The result was the version selection exception. I fixed this by altering the code in NetmonParser.cs starting at line 1421 to this:
            if (fieldName.EndsWith(".Version.Major") && !fieldName.EndsWith(".ClientHello.Version.Major"))
            {
                int[] val = this.ParsedFrameFieldValue(parsedFrame, fid);
                cipherSuiteInfo.SslVersion.Major = val[0];
            }

            if (fieldName.EndsWith(".Version.Minor") && !fieldName.EndsWith(".ClientHello.Version.Minor"))
            {
                int[] val = this.ParsedFrameFieldValue(parsedFrame, fid);
                cipherSuiteInfo.SslVersion.Minor = val[0];
            }
Nov 7, 2014 at 5:33 PM
Well, the bad news is that we are not going to put any effort into the NMDecrypt tool. The code is still public, so I suppose the change could still be incorporated.

The good news is that we have a new tool that deals with HTTP traffic and decryption much better. Message Analyzer 1.1 has been released with a built-in decryption tool. There are improvements to do there, but it handles things much more gracefully. http://blogs.technet.com/MessageAnalyzer has info including a link to the download.

Paul
Nov 7, 2014 at 8:50 PM
Thanks Paul,

That's not bad news. I have been using message analyzer for a while but haven't tried the decryption functionality yet. Might be time to give it a try.

-mark