sometimes it is kind of annoying to troubleshoot SSL connections in Wireshark, since the payload is encrypted.
However, I just learned and tested that there is a possibility.
In Windows 10 (and most likely also other OS) you can set an environment variable
SSLKEYLOGFILE to a certain file like C:\User<username>keylog.txt
This convinces the SSL engine to log CLIENT RANDOM, CLIENT_HANDSHAKE_TRAFFIC_SECRET, etc.
So what I did:
- Set the SSLKEYLOGFILE environment variable
- Open the keylog.txt in notepad++
- Open Chrome in private mode and access my banking page / prepare a python script for Zscaler API (just to test)
- Deleted content of keylog.txt in notepad++, since the file grows fast
- Started Wireshark capture
- logged in to my home banking via chrome / started the python script to execute two put requests
- stopped capture and copy/paste keylog.txt entry to a newkeyfile.txt
- saved pcap file
- In Wireshark go to configuration/settings/protocols and chose TLS (sorry my Wireshark is German so don’t know the correct GUI wording in English)
- Configure newkeyfile.txt as "(Pre-Master-Secret log filename) and click OK and on “reload file”.
If everything has worked well you can now see http in clear text ( i had to try it several times) - but finally for my banking test I had a closer look on all POST requests… and indeed I was able to see my username and password in “cleartext” - for the Python request I saw the json structures.
For obvious reasons I removed the environment variable after my tests.