Ask Your Question
0

TLS decryption is not working

asked 2019-12-15 13:01:03 +0000

pa_ddii gravatar image

Hey,

I'm trying using Wireshark for analyzing a WebRTC-Connection but I have problems with the TLS decryption. I followed some instructions and did:

  1. create a File tls-key.log
  2. Set the SSLKEYLOGFILE-environment variable to the file
  3. Set the path in the Wireshark-Settings
  4. Re-started PC
  5. Start Wireshark-Capture
  6. Start Browser (Chrome or Firefox), opened the WebRCT-App

But after recording the traffic, I'm not able to see the decryptet data. Did I something wrong or forgot something?


Debug-File: https://drive.google.com/open?id=1bZH...

Key-File: https://drive.google.com/open?id=1hR8...

pcapng: https://drive.google.com/open?id=1vBr...

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-12-15 13:30:15 +0000

SYN-bit gravatar image

The command grep -f <(tshark -r Capture01.pcapng -Y tls.handshake.type==1 -T fields -e tls.handshake.random) tlskeys.log does not show any output. This means none of the client_random values from the ClientHello are present in the key-log file.

In other words, your TLS session key collection did not work properly.

  • Did you start Chrome/Firefox from a CMD window that has the SSLKEYLOGFILE environment variable set?
  • Does the "WebRCT-App" use its own TLS library that does not look at the SSLKEYLOGFILE environment variable?
edit flag offensive delete link more

Comments

"Did you start Chrome/Firefox from a CMD window that has the SSLKEYLOGFILE environment variable set? " -> No I did not. I thought the Browser would write the keys automatically by every start. How do I start the Browser with that settings from CMD?

pa_ddii gravatar imagepa_ddii ( 2019-12-15 13:44:04 +0000 )edit

I might have spoken too soon (I'm not a windows user). Here are two links on how to the the environment variable on Windows. Is this what you have done already?

Also interesting is @Lekensteyn's remark in another similar question:

My guess is that you have some kind of "antivirus software" installed that intercepts traffic from Chrome and then performs its own external connection. The SSLKEYLOGFILE environment variable likely has no effect on this other piece of software as it requires support from the application (such as Firefox or Chrome).

SYN-bit gravatar imageSYN-bit ( 2019-12-15 14:27:45 +0000 )edit

Oh yes, you helped me a lot. It was my fu Avast Antivirus. But now I have a reason to uninstall it. Now it works! Thank you very much!!!

pa_ddii gravatar imagepa_ddii ( 2019-12-15 14:46:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-12-15 13:01:03 +0000

Seen: 5,233 times

Last updated: Dec 15 '19