Decrypting TLS Browser Traffic With Wireshark

From Tech-Wiki
Revision as of 03:16, 26 August 2016 by Jebr (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The full write up is here.

In summary
1) Set Firefox or Chrome to log session keys by adding an environment variable.
Windows:

Set a User Variable SSLKEYLOGFILE to specify the file e.g. c:/temp/sslkeylog.log

Mac OSX:
N.B. Setting an environment variable with EXPORT will only apply to that session. Launching a browser or other web client outside of the session will not have the environment variable set.

# export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log
# open -a firefox
# wireshark

Linux:

$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log


2) Point Wireshark at the keylog file:

>Edit >Preferences >Protocols >SSL >"(Pre)-Master-Secret log filename:"

When viewing a trace containing TLS traffic the packet after the "Changed Cipher Spec, Finished" would normally by an unreadable TLSv1 Protocol with Application Data shown in the Info column. With the log file specified the protocol is shown as HTTP and you can view GET request etc. in the Info column. There is also a new "Decrypted SSL data" tab shown below the hex view.