Skip to main content
Version: v8

KB: 1071


How to decrypt SSL/TLS using Wireshark and SSLKEYLOGFILE environment variable on Firefox or Google Chrome using Wireshark?

Pre-Requisites

  1. Wireshark Software
  2. Firefox or Chrome browsers to access the web application
  3. SSL session keys
How to log the SSL session keys on windows
  1. Open the Environment Variables by right-clicking on This PC and selecting Properties.
  2. Click on Advanced system settings on the left.
  3. In the System Properties window, click on the Environment Variables button.
  4. Under System variables, click "New".
  5. In the Variable name field, enter SSLKEYLOGFILE.
  6. In the Variable value field, enter the path where you want the SSL keys to be saved, e.g., C:\path\to\sslkeys.log.
  7. Select OK
  8. Start Firefox or Chrome
  9. Access the web application.Now, whenever you visit the application using SSL/TLS, the session keys will be logged to the specified file.
How to log the SSL session keys on Linux
  1. Open a terminal

  2. Create an empty file to store the SSLKEYLOGFILE environment variable

    touch sslkeyfile.log
  3. Set the SSLKEYLOGFILE environment variable for your account by using the following command syntax:

    export SSLKEYLOGFILE=/path/to/logfile/sslkeyfile.log

    For example:

    export SSLKEYLOGFILE=/home/test/sslkeyfile.log
  4. Start packet capture using an application such as Wireshark or tcpdump. For information about tcpdump refer to How to capture packet and tracethem through tcp dump utility?

  5. Start Firefox or Chrome from the same terminal window that was used to set the environmental variable

    For example google-chrome

Note

Make sure to close all open browser windows, and always start the browser from the same command terminal, as the session variable is set only in that terminal.

  1. Access the web application. Now, whenever you visit the application using SSL/TLS, the session keys will be logged to the specified file.

How to decrypt SSL/TLS traffic using Wireshark with SSLKEYLOGFILE

Resources

Download the packet capture (.pcap)

Download the SSL KeyLog (.txt)

Steps

  1. Load the Captured File

    1. Capture the traffic using tcpdump based on your requirements: from the client to the WAF machine or from the WAF machine to the backend server.

      From Client to WAF Machine

      1. SSH into the WAF machine.
      2. Start capturing packets using tcpdump.

      For example:

      tcpdump -i any port 443 and host <Client IP> -w dump.pcap

      From WAF Machine to Server

      1. SSH into the server machine.
      2. Start capturing packets using tcpdump.

      For example:

      tcpdump -i any port 443 and host <WAF IP> -w dump.pcap
    2. Open Wireshark.

    NOTE

    Ensure that both the .pcap file and the SSL key file are present on the same machine where Wireshark will be used.

    1. Load the traffic tcpdump file in .pcap format.
  2. Configure the SSL/TLS Preferences

    To upload captured TCP dump on wireshark.

    1. Go to File > Open
    2. Select your .pcap file and Select Open.
    3. This will show the list of captured packets.

    Then we need to configure the TLS/SSL preference to decrypt the required file.

    1. Go to Edit > Preferences
    2. Expand the protocols list on the left side.
    3. Scroll down and select TLS or SSL (depending on your Wireshark version)

    kb-1070

  3. Set the Pre-Master Secret Log File

    1. In the Pre-Master-Secret log filename field, click Browse and select the sslkeys.log file that your browser has been writing to.
    2. Apply the settings by clicking OK.
  4. View Decrypted Data

    1. Wireshark should now automatically decrypt the SSL/TLS traffic using the session keys from sslkeys.log
    2. You can inspect the decrypted packets, including HTTP requests and responses, directly in Wireshark