Client-side TLS Decryption not working

asked 2022-01-11 08:27:09 +0000

thelb gravatar image

Dear Sir or Madam,

I setup Wireshark on my PC to decrypt some TLS (1.2) traffic in order to analyse what's going and incoming from a specific website.

To do so, I had to set a variable environment (SSLKEYLOGFILE), which seems to work great because the file is never empty even If I delete it. But when I set this file on Wireshark at the TLS pane to register the pre master keys file, nothing is decrypted at all.

First, I tought it was my security program (Kaspersky), which I uninstalled in order to get Wireshark working, nothing again. The second step was to try by using MITMproxy, file contain some keys but not any wanted decryption at all again.

Do you have any idea of what could prevent me to decrypt, and what could be the solutions ? PC : Windows 11 Wireshark : latest Security program : not anymore

If you have any question, I'm ready to reply

Thanks for reading

Respectfully

edit retag flag offensive close merge delete

Comments

Wireshark decryption of TLS traffic works, if it's provided with the correct keying material.

Using SSLKEYLOGFILE should work if the applications generating the TLS traffic use a TLS library that observes that environment variable and emits the correct keying material into the file. Notably Windows applications using SChannel (the Windows OS TLS library) and Java applications do not do this.

What is the application generating the TLS traffic?

grahamb gravatar imagegrahamb ( 2022-01-11 08:53:09 +0000 )edit

Thanks for your reply The application generating the TLS traffic is Firefox (I tried with Chrome too)

I know it's probably a problem of keys, because the file isn't empty, but why Firefox isn't puting the desired keys in the file, that's the problem. I have to precise that I tried to first initiate a TLS communication on the browser and then start the capture, and the reverse (first start the capture, then Firefox, then trying to apply the keys).

thelb gravatar imagethelb ( 2022-01-11 08:56:42 +0000 )edit

You should start the capture before initiating the connection so that the connection handshake can be captured. You should also ensure all instances of Firefox (and any other applications generating TLS traffic) have been terminated before starting the capture to eliminate possible session key reuse and extraneous traffic.

Have you followed the instructions for decrypting TLS on the wiki? In particular, the TCP protocol preferences.

grahamb gravatar imagegrahamb ( 2022-01-11 10:37:11 +0000 )edit

thanks for your kind help. Yeah, I closed all the Firefox instances, reboot my pc many times, even try the flight mode to start the capture before any instances of Firefox.

The instructions for the TCP protocol preferences are set.

I cannot read the TCP packages, everything is encrypted. Here a TCP package (I tried to log in the website, zero footprint of my login by using frame contains XX)

0000   a0 e7 0b ed a4 3b 84 1b 5e b6 b2 0b 08 00 45 00   .....;..^.....E.
0010   05 dc 57 66 40 00 2e 06 6f 4e 51 ff 6d b5 c0 a8   [email protected]
0020   00 0b 01 bb c2 22 80 41 5f 4c 09 5c 29 f9 50 10   .....".A_L.\).P.
0030   00 94 a7 6b 00 00 be ef 1a 23 b9 06 8f 5c bf ba   ...k.....#...\..
0040   6f c3 d0 73 ...
(more)
thelb gravatar imagethelb ( 2022-01-11 13:46:17 +0000 )edit

I will try soon on Kali linux, may be it could work with a different OS. Thanks for your help

thelb gravatar imagethelb ( 2022-01-12 20:49:33 +0000 )edit