Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chrome not Firefox are not dumping to SSLKEYLOGFILE variable

Tags:

I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?

like image 848
Tomas Colloca Avatar asked Feb 19 '17 20:02

Tomas Colloca


People also ask

How do I get key logs for Wireshark?

You can specify the key file path in Wireshark via Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename . If your SSLKEYLOGFILE does not exist yet, just create an empty text file, so you can select it in Wireshark (or run mitmproxy to create and collect master secrets).

What is key log file?

A key log is a log of the values used by your web browser to generate TLS session keys. Your browser does this every time, but it doesn't do anything else with those values once they are used. However, recent versions of Firefox and Chrome will output these values to a text file with a little bit of work.


2 Answers

You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:

  1. set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
  2. run chrome with argument e.g.: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
like image 155
TadejP Avatar answered Oct 02 '22 06:10

TadejP


With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).

Update: according to @Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.

like image 31
Steffen Ullrich Avatar answered Oct 02 '22 04:10

Steffen Ullrich