Ask Your Question

TLS Decryption - when does Wireshark reload the master secret log?

asked 2022-06-13 13:04:31 +0000

wire-rob gravatar image

I am trying to decrypt TLS connections using Wireshark which works in general, but it seems like Wireshark does not detect and reload the configured in TLS options as (Pre)-Master-Secret log filename.

I would expect that at least every time I execute Follow-> TLS stream in Wireshark it should check if the file has been changed an reload the contained keys. Because how is Wireshark supposed to decode a session while capturing is in progress?

At the moment the only reliable way I have found is to stop capturing, save the data to a PCAP file and then reopen the saved PCAP file.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-06-14 09:23:01 +0000

Jaap gravatar image

updated 2022-06-14 13:25:07 +0000

A sneak peek at the dissector code seems to suggest that the file is (re-)read whenever a new connection establishment is seen in the capture. That would happen when a redissection takes place to feed the tap into the TCP stream window.

Situation where this does not work could be delayed writes to the key log file by the browser, missing TLS connection establishment in the capture, optimisation/shortcuts in the dissector preventing the key log file read to happen for taps. It would take some experimentation to get to the bottom of this. Therefore this would be an item to file an issue report on, so that someone with time/knowledge can work on it.

edit flag offensive delete link more


Thanks for checking the sources. By "connection establishment" you mean a CLIENT_HELLO or the real start of a TLS connection e.g. Change Cipher Spec? Because at the CLIENT_HELLO it would be impossible to already provide the master key...

wire-rob gravatar imagewire-rob ( 2022-06-14 11:41:00 +0000 )edit

I was referring to Change Cipher Spec, otherwise no key material would be available.

Jaap gravatar imageJaap ( 2022-06-14 13:24:39 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-06-13 13:04:31 +0000

Seen: 62 times

Last updated: Jun 14