For the SSLKEYLOGFILE feature to work, the following criteria must be met:
- The application of which the traffic is to be captured must use an encryption library that supports the SSLKEYLOGFILE feature. For example OpenSSL, GnuTLS, BoringSSL. A well-known library that does not support it is Windows Schannel.
- The SSLKEYLOGFILE variable is only picked up when the application (and library) is started. For example when capturing traffic of a browser make sure it is fully stopped first, including any background processes.
- Only the end-points of a TLS connection (client - server) can log their session keys.
Also, for Wireshark to be able to decrypt the traffic, the initial TLS handshake must be captured as well. Any gaps in the stream (i.e. snapped packets) will break the decryption.
If decryption is not possible Wireshark will stop dissecting at TLS level and label payload as "Application Data".
