Decrypting TLS Browser Traffic With Wireshark – The Easy Way!

Intro

Most IT people are somewhat familiar with Wireshark.  It is a traffic analyzer, that helps you learn how networking works, diagnose problems and much more.

2015-02-11 22_29_11-

One of the problems with the way Wireshark works is that it can’t easily analyze encrypted traffic, like TLS.  It used to be if you had the private key(s) you could feed them into Wireshark and it would decrypt the traffic on the fly, but it only worked when using RSA for the key exchange mechanism.  As people have started to embrace forward secrecy this broke, as having the private key is no longer enough derive the actual session key used to decrypt the data.  The other problem with this is that a private key should not or can not leave the client, server, or HSM it is in.  This lead me to coming up with very contrived ways of man-in-the-middling myself to decrypt the traffic(e.g. sslstrip or mitmproxy).

Session Key Logging to the Rescue!

Well my friends I’m here to tell you that there is an easier way!  It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file.  You can then point Wireshark at said file and presto! decrypted TLS traffic.  Read on to learn how to set this up.

Setting up our Browsers

We need to set an environmental variable.

On Windows:

Go into your computer properties, then click “Advance system settings” then “Environment Variables…”

2015-02-11 21_36_51-Clipboard

Add a new user variable called “SSLKEYLOGFILE” and point it at the location that you want the log file to be located at.

2015-02-11 21_38_57-Environment Variables

On Linux or Mac OS X:

$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log

You can also add this to the last line of your

~/.bashrc

on Linux, or

~/.MacOSX/environment

on OS X so that it is set every time you log in.

The next time that we launch Firefox or Chrome they will log your TLS keys to this file.

Edit: If you are having trouble getting it to work on OS X take a look at the comments below.  It seems that Apple has changed how environmental variables work in recent versions of OS X.  Try launching firefox and wireshark within the same terminal window with,

# export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log
# open -a firefox
# wireshark

Thanks Tomi for sharing this.

Setting up Wireshark

You need at least Wireshark 1.6 for this to work.  We simply go into the preferences of Wireshark

2015-02-11 21_45_30-

Expand the protocols section:

2015-02-11 21_48_49-2015-02-11 21_45_59-Wireshark_ Preferences - Profile_ Default

Browse to the location of your log file

2015-02-11 21_47_10-Wireshark_ Preferences - Profile_ Default

The Results

This is more along the lines of what we normally see when look at a TLS packet,

2015-02-11 22_29_11-

This is what it looks like when you switch to the “Decrypted SSL Data” tab.  Note that we can now see the request information in plain-text!  Success!

2015-02-11 22_30_28-_Wi-Fi   [Wireshark 1.12.3  (v1.12.3-0-gbb3e9a0 from master-1.12)]

Conclusion

I hope you learned something today, this makes capturing TLS communication so much more straightforward.  One of the nice things about this setup is that the client/server machine that generates the TLS traffic doesn’t have to have Wireshark on it, so you don’t have to gum up a clients machine with stuff they won’t need, you can either have them dump the log to a network share or copy it off the machine and reunite it with the machine doing the packet capture later.  Thanks for stopping by!

References:

Mozilla Wiki

Imperial Violet

jSSLKeyLog

Photo Credit: Mike

90 thoughts on “Decrypting TLS Browser Traffic With Wireshark – The Easy Way!

  1. I am using Wireshark 1.12, FIrefox 35.0.1 and Windows 7. I can see my SSL/TLS secrets being populated in my log file, but I am not getting the Decrypted SSL Data tab. Any thoughts on what I may be doing wrong?

    1. And you have filled out the “(Pre)-Master-Secret log filename” field in your preferences? Be aware that Wireshark might be sniffing traffic that is not sent by the configured browser, e.g. a background application on the same system might be reaching out over TLS and wouldn’t be logging its keys. It will only show that tab for traffic it can decrypt. Filter out information so that you are only looking at the communication that you are relatively certain is coming from the browser.

      1. I double checked that Wireshark is pointed at the log file. I shut down everything else and used the far side IP address to confirm which traffic I was viewing. I will need to keep digging.

        1. The other thing to mention is that a lot of the data is still either gzipped or binary data like images, so it may appear obscured. But you should still get the tab, in any case.

    2. When you look at the packets, you will need to check for a server key exchange packet….Apparently wireshark cannot decrypt ephemeral diffie-hellman encrypted data. So if you see a packet that says server key exchange, that’s probably what is happening….unless i’m wrong. Please let me know if i am.

      1. Yeah that is incorrect. Wireshark can’t decrypt it if you give it the RSA private key of the server, but the keys that I log in the article are symmetric keys generated during key exchange. The whole point of doing this is so that you can decrypt traffic using both RSA, DH and DHE key exchange.

          1. If you have configured everything right( i.e. keys are being logged to the file) and still seeing encrypted TLS traffic then it is traffic not coming from your browser.

    3. Hi bro, I suggest you to try another way. Right click one TLS packet(Such as Client Hello), then click Follow SSL stream. Then you can see the decrypted plain-text data. Make sure that you imported the key log file correctly.

  2. This guy had the same problem:
    https://ask.wireshark.org/questions/30290/decrypting-tls_ecdhe_rsa_with_aes_128_cbc_sha-and-tls_ecdhe_rsa_with_aes_128_gcm_sha256-using-sslkeylogfile

    Although he eventually figured it out, he used a slightly older version than yours. Maybe you need to tweak compile options and recompile.

    It probably has something to do with forward secrecy. Perhaps it’s not supported in your version. If you visit a site that isn’t using FS:
    https://tools.ietf.org/html/rfc5246

    You should be able to decrypt this in Wireshark.

    Actually it might be the mode of operation for the block cipher that’s the problem. Old versions don’t support GCM. But you are using 1.12…

    1. Thank you for the pointers. I cycled through the security.tls.version.max options as you suggested and confirmed in the captures that the encryption protocol used was changing accordingly. Unfortunately, I am still not getting the Decrypted SSL Data tab, even when going to the IETF site you listed. I found some additional information here http://wiki.wireshark.org/SSL, a “wireshark -v” on my system lists GnuTLS 3.2.15 and Gcrypt 1.6.2. I am using the latest stable version that comes in the Windows installer so I have whatever compile options that it is built with. I will keep digging.

    1. Yeah I didn’t actually get to test this on a Mac as I no longer own one. Looks like OS X did some redecorating recently with environmental variables see this. Maybe it needs to be a system environmental variable on OS X?

      1. Setting an environment variable with EXPORT will only apply to that session. Launching a browser or other web client outside of the session will not have the environment variable set.

        If using EXPORT to set SSLKEYLOGFILE, you’ll have to launch Firefox from the same session.

  3. Any remotely recent version of Chrome will work just fine now. At the time of the cited blog post (look at the timestamp), the feature was new in NSS had only hit dev channel.

  4. Or use Cloudshark, just drag the key onto the web page and then hit decrypt. Its nice because I can let my IT minions debug pcaps without me giving them the TLS keys to the kingdom!!! Course, Cloudshark isnt free like wireshark even though its based on it

  5. And you got the SSL line or it’s just the tab you can’t see? I didn’t see mine coz I was with a proxy. It seems it encapsulate https in http, so you can’t use it to spy on your mates (in this case, at least). Neither you can use it to see app/malware that use their own conection.

    I’d like to be give a practical exemple of how to use it.

    Nice post, btw. 🙂

  6. Can you think of a way to do the same with a mobile browser? Can’t quite find the same set of options for the mobile browsers.

  7. I tried this on Linux Mint 17.1 and FF 35.0.1, double checked that the environmental variable has been set correctly, rebooted and reloaded this page, but no sslkeylog.log was created. Is a specific Linux distribution needed to make this work?

      1. export says

        declare -x SSLKEYLOGFILE=”/home/jrv/sslkeylog.log”

        where jrv is my username and I have write access. More help would be appreciated.

    1. I ended up making the file beforehand and then running the export command and starting firefox. Then I had content in my file (mint 17/ff 35)

  8. Hi Jim,

    This is a grate tutorial. I have just followed it and it works a treat.

    Can I ask a question though.

    Is there a way to copy/paste the ASCII from the “Decrypted SSL Data” tab?? The text is in a small column and would like to be able to copy it into notepad.

    Is this possible or am I missing something?

    Thanks

  9. Great stuff, thanks Jim!

    I got my OS X working only when firing up all related processes using exactly same Terminal-window like this:

    1. Open ‘terminal’
    2. # export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log
    3. # open -a firefox
    4. # wireshark

    This worked for me.

    1. The SSLKEYLOGFILE was not being written after following the above procedure. (Mac OS X Yosemite). I spent a few hours trying to figure this out. The environment variable is being set right. Finally I realized that killing Firefox by clicking on the x (top left) did not actually kill firefox process, I had to use force quit to kill Firefox. Once I did this and followed your procedure it worked fine. Thanks to Jim Shaver and Tomi.
      Thought this might save a few minutes for another developer.

  10. Amazing! (FF wants to be secure??)
    Thanks for that info!
    Does Wireshark continually read the file, seems FF adds more keys while opening new https-Pages.
    I also miss the ssl-decode Tab (FF Ver 1.8.2, newest for Debian stable). But I have a Analyze->Follow SSL-Stream menu. Is that the same? In most cases this opens an empty window (I think contents cant be decoded). Whats the purpose of Analyze->DecodeAs (SSL) ??

    1. Not all data can be decrypted using this method, often times Wireshark sees more SSL/TLS data than what is just from Firefox. It continues to read the file as I recall.

  11. I could really use some help here. I have some Wireshark packet captures saved on an external HD, I needed to decrypt the SSL. Where would I find the key to do this? UGH!!!!

    1. Yeah I bet. You and the NSA and every identity thief. Unfortunately if the keys are not dumped at the time that the traffic is sent there isn’t a way to decrypt it, that is the point of SSL/TLS. As mentioned early in the article, if you have the server’s private key you can also feed that into wireshark, and it may be able to decrypt the traffic, but this depends on many things, including the security of the key exchange method negotiated between the browser and the server(RSA vs DH(E)) as well as availability of the private key to you.

      1. How web browser and server know exactly what is the key used for their private communication? Don’t they have to at least send this information over once?

  12. What can you do to decrypt traffic from a Widows server making a HTTPS calls to another Windows server if it does not use Firefox or Chrome. For instance I have a front end CRM server making a call out to a BizTalk server for a specific URL using 443. I have the proper key from the BizTalk server imported into my Wireshark but our users use IE not Chrome or Firefox and the CRM server making the call does not either so a sslkey file does not help in my case or at least it seems from the post only Chrome or Firefox create the log file. We see intermittent issues are happening between CRM and BizTalk over 443 and we are trying to find out what is the cause, but our packet captures will not decrypt because of TLSv1 and TLSv1.2 does not have the master key or some other constraint for decrypting. Surely someone has figured out how to decrypt SSL traffic from IE or Windows.

    1. If you wanted to use wireshark you could try loading the private key of the server into wireshark if you have access to it. But that will only work if your BizTalk server is using RSA ciphers. If it really is HTTPS and not just ‘something else’ over TLS then you may want to look into SSLSpoof or SSLSplit which will allow you to Man in the middle the SSL connection, and if you do it correctly, pipe it into wireshark(I would consider this the ‘Hard way’). Or use a tool like mitmproxy(for which I am a contributor) or Fiddler(more windows friendly) to analyze the traffic. These tools are http(s) specific analysis tools rather than a general network analysis tool. The only thing you really have to figure out with these is how to pipe your CRM’s traffic through the proxy and get the CRM system to trust the proxy’s certificate.

      1. Hi, all this is great information!
        In my log file I see only ‘Client_Random’ not RSA output. Does that mean RSA is not used as method? I think this I why I don’t see any decrypted data tab. Appreciating your help:)

        1. Try to resize your editor window so you see the hole key on one line. I thought this too, and then recognized that there are only a few rsa keys if any. if you don’t have any at all, try to capture a login on youtube or googledrive or something. then you should have some rsa values.
          Beware: if the selected cypher suite uses ephemeral modes of DH you will not have the needed keys in your log and will not be able to decrypt your traffic. At least that#s what I have found out so far playing with this stuff and searching the web 😉
          Hope this helps. Let me know if you find better info than me 😉

    1. Yes, it does 🙂 I have to start the browser from the terminal, otherwise the keylog file stays empty. Now I have the problem, that I cannot see the HTML body. The HTML header gets encrypted, but the rest of the package is still jiberish. Thanks for this nice tut. helped me out a lot already 🙂

    1. I think I had either seen it in the Wireshark docs, or on someone else’s blog. But the format that it was in was so technical and opaque that I thought I could do it better.

  13. Hi, I am struct at providing the pre-master-secret to Wireshark to decrypt the RSA Premaster key. I have the 48 bytes of pre-master-secret, but i don’t know in which format i have to give. Could some one please help me. Thanks!

    1. I’m sorry but I do not run OS X. I have heard that Apple has done some changes over the versions to how environmental variables. Take a look through the rest of the comments, if that doesn’t work you may have to do more research elsewhere.

    2. I had a the problem last week that ff would not write the keys into the sysvar. that happened after an update. After having that problem on kubuntu and debian i figured it must have been an update of the kernel or something like that. One week later… so today, i made another sys-update and it works again 🙂 so maybe you’ll just have to wait a few days until apple finds out that they killed the feature 😉 good luck!

  14. No luck with this method. I can get it to work as describe but it basically does the same as the “Live HTTP Headers” plugin for Firefox. You get to see the headers.

    1. The headers are encrypted too, are you seeing session keys written to the file? A lot of the data may look like garbage, but that is because most website data are binary images.

  15. Great explanation, thanks so far.
    But reading out until here, using all hints above, I was unable to get Firefox populating this sslkeylog file. I am using Win7 (64 Bit) and the current Firefox version 45.0.2
    The only hit I found was on https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
    saying that this feature is disabled in Firefox 48, which confused me totally, since we are currently on 45. Or do they have a time machine?

  16. Thanks for taking care of this. By the way, in the meantime I installed Chrome in parallell to Firefox and was also unable to populate the sslfkeylogile with it. Do you know whether the Chrome people removed this feature as well (although stated otherwise in the discussion you pointed me to)?

      1. I am using rsa 2048 bits long key and certificate in apache webserver. i am using key log file and debug file in SSL preferences and setup the path to my generated private key.

  17. Hello Jim,

    I have my localhost running on Apache 2.4.20 on port 443 for http-2 and I need to capture this traffic. I have created a self-signed certificate and key for apache webserver configuration.

    Kindly suggest on how to proceed further in this case.

    Regards,
    Ankush.

      1. I tried the SSL decryption on the https accesses from my own laptop and it works perfectly!
        I have SPAN configured on my Cisco switch that forwards all traffic to my Laptop’s interface.
        So i followed what you said at the conclusion, the “or copy it off the machine and reunite it with the machine doing the packet capture later”. But the Wireshark captures still says TLS — Application data.
        What could be wrong?

          1. Thats right. I’ve configured the client PCs to log their ssl keys and save them locally. Meanwhile, I capture traffic through the switch on my admin Laptop. I later get the logs from the client PCs to use with my wireshark.
            This doesn’t seem to work like when I decrypted traffic from the laptop i’m at.

  18. Hi. Nice article. I notice that this is good to decrypt secured connections on the fly. How can an encrypted captured packet be decrypted with/without the key provided. Thanks.

Leave a Reply