Ask Your Question

Revision history [back]

The TLS key log file (not to be confused with debug log file) can indeed not be used with RSA key files, it can only accept session secrets (master secret, traffic secrets, etc.).

There are two other deprecations:

  • The ssl filter and protocol names have been replaced by tls. Thus ssl.keys_list becomes tls.keys_list. The fact that any ssl.<anything> preference results in suggesting tls.<anything> is probably a bug, the code should check for its existence before recommending it.
  • The ssl.keys_list (or tls.keys_list) preference has been deprecated in favor of a the "ssl_keys" UAT. However, this option has again be deprecated because it contained redundant fields that had nothing to do with decryption secrets.
  • The new "rsa_keys" UAT finally replaces the above preference and UAT. It has only two fields: the key file, and a password (if needed). For hardware tokens, the first field would be the PKCS#11 URI and the PIN respectively.

The dialog for this "RSA Keys" UAT is described here: https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19us.pdf#page=14

The corresponding tshark invocation for a key file without password would be:

tshark -r your.pcap '-ouat:rsa_keys:"/path/to/key.file",""'

Mind the single quotes, these are necessary for the shell on to avoid interpreting the double quotes.