Ask Your Question

Revision history [back]

While the key log file is non-empty, some keys are still missing.

To cross-reference the keys from the key log file, note that the Key Log File uses the following format for TLS 1.2 secrets:

CLIENT_RANDOM <ClientRandom> <MasterSecret>

This <ClientRandom> is matched against the Random field in the Client Hello message. This command lists the frame number, the Random field and the Server Name for Client Hello messages:

tshark -Y "ssl.handshake.random and ssl.handshake.type==1" -Tfields -e frame.number -e ssl.handshake.random -e ssl.handshake.extensions_server_name -r ssl-decryption-pluralsight.pcapng

We can find a couple of entries, for example:

109     a6268092b93dae607b43fc33d77ef0c44075f24607349f5e12b28ea7fd9d1c4d        mtalk.google.com
115     a623ae678bd391724b27ff2686cf11901fb10046744b1234aca43ec5483e67d3        clientservices.googleapis.com
....
1018    275cfd0cd3bb309e8254ad9e317784d8f83b619b98acbf8946fac6a8f89abd5e        www.pluralsight.com
1245    493e5e9cd87b76d38a18e1272cf4d57cc8551d7cbd349598f53b1445235bfc49        www.pluralsight.com
1248    53c93f64580ac08453d9ba1173a46d5d9b3267b96cedacea800647ba22737500        www.pluralsight.com
...
1960    267cf316f2ab4e6d32400dfc134dca093887cf14c0e35ce3178ca0573a7e69d9        s.ytimg.com

Of all entries, only a few appear to have a match against the key log file (109, 115, 172, 1641, 1960). All others have no match. Let's investigate packet 1018. Its Client Hello looks very unusual, it has a Heartbeat extension and advertises a plethora of cipher suites (53 in total, including uncommon ones such as fixed-DH with DSA (TLS_DH_DSS_WITH_AES_256_GCM_SHA384) and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA). This looks like a client (using OpenSSL?) that has everything enabled by default.

Compare that against frame 109 which advertises only 17 cipher suites, includes GREASE and supported_versions (to advertise TLS 1.3 support). This looks more like a modern browser (Chrome).

My guess is that you have some kind of "antivirus software" installed that intercepts traffic from Chrome and then performs its own external connection. The SSLKEYLOGFILE environment variable likely has no effect on this other piece of software as it requires support from the application (such as Firefox or Chrome).

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2