Wireshark and SSL connections

Hi,
sometimes it is kind of annoying to troubleshoot SSL connections in Wireshark, since the payload is encrypted.
However, I just learned and tested that there is a possibility.
In Windows 10 (and most likely also other OS) you can set an environment variable
SSLKEYLOGFILE to a certain file like C:\User<username>keylog.txt

This convinces the SSL engine to log CLIENT RANDOM, CLIENT_HANDSHAKE_TRAFFIC_SECRET, etc.

So what I did:

  • Set the SSLKEYLOGFILE environment variable
  • Open the keylog.txt in notepad++
  • Open Chrome in private mode and access my banking page / prepare a python script for Zscaler API (just to test)
  • Deleted content of keylog.txt in notepad++, since the file grows fast
  • Started Wireshark capture
  • logged in to my home banking via chrome / started the python script to execute two put requests
  • stopped capture and copy/paste keylog.txt entry to a newkeyfile.txt
  • saved pcap file
  • In Wireshark go to configuration/settings/protocols and chose TLS (sorry my Wireshark is German so don’t know the correct GUI wording in English)
  • Configure newkeyfile.txt as "(Pre-Master-Secret log filename) and click OK and on “reload file”.
    If everything has worked well you can now see http in clear text ( i had to try it several times) - but finally for my banking test I had a closer look on all POST requests… and indeed I was able to see my username and password in “cleartext” - for the Python request I saw the json structures. :slight_smile:

For obvious reasons I removed the environment variable after my tests.

Best regards
Andreas

2 Likes

Brilliant. I wrote an article awhile back on how to do this on MacOS as well. See below:

1 Like

Cool, if only google had showed this to me… :slight_smile: could have saved me much time. :slight_smile: