Ask Your Question
0

TLS decryption is not working

asked 2019-12-15 13:01:03 +0000

pa_ddii gravatar image

Hey,

I'm trying using Wireshark for analyzing a WebRTC-Connection but I have problems with the TLS decryption. I followed some instructions and did:

  1. create a File tls-key.log
  2. Set the SSLKEYLOGFILE-environment variable to the file
  3. Set the path in the Wireshark-Settings
  4. Re-started PC
  5. Start Wireshark-Capture
  6. Start Browser (Chrome or Firefox), opened the WebRCT-App

But after recording the traffic, I'm not able to see the decryptet data. Did I something wrong or forgot something?

Debug-File: https://drive.google.com/open?id=1bZH...

Key-File: https://drive.google.com/open?id=1hR8...

pcapng: https://drive.google.com/open?id=1vBr...

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-12-15 13:30:15 +0000

SYN-bit gravatar image

The command grep -f <(tshark -r Capture01.pcapng -Y tls.handshake.type==1 -T fields -e tls.handshake.random) tlskeys.log does not show any output. This means none of the client_random values from the ClientHello are present in the key-log file.

In other words, your TLS session key collection did not work properly.

  • Did you start Chrome/Firefox from a CMD window that has the SSLKEYLOGFILE environment variable set?
  • Does the "WebRCT-App" use its own TLS library that does not look at the SSLKEYLOGFILE environment variable?
edit flag offensive delete link more

Comments

"Did you start Chrome/Firefox from a CMD window that has the SSLKEYLOGFILE environment variable set? " -> No I did not. I thought the Browser would write the keys automatically by every start. How do I start the Browser with that settings from CMD?

pa_ddii gravatar imagepa_ddii ( 2019-12-15 13:44:04 +0000 )edit

I might have spoken too soon (I'm not a windows user). Here are two links on how to the the environment variable on Windows. Is this what you have done already?

Also interesting is @Lekensteyn's remark in another similar question:

My guess is that you have some kind of "antivirus software" installed that intercepts traffic from Chrome and then performs its own external connection. The SSLKEYLOGFILE environment variable likely has no effect on this other piece of software as it requires support from the application (such as Firefox or Chrome).

SYN-bit gravatar imageSYN-bit ( 2019-12-15 14:27:45 +0000 )edit

Oh yes, you helped me a lot. It was my fu Avast Antivirus. But now I have a reason to uninstall it. Now it works! Thank you very much!!!

pa_ddii gravatar imagepa_ddii ( 2019-12-15 14:46:10 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-12-15 13:01:03 +0000

Seen: 5,157 times

Last updated: Dec 15 '19

Related questions

How to get TLSv1.2 to decode

How to verify what protocol was used in an encrypted file transfer?

SSL/TLS Handshake Immediately Fails

Can't capture TLS certificate

How can I extract parameters from pcap

Does Wireshark support TLS 1.3?

How can I decode TLS that uses DH?

Can Wireshark decode a LDAPs conversation?

[TLS 1.3] I am getting an error while decrypting the SSL Handshake Traffic -

Decrypting Application Data with Private Key File