Ask Your Question
0

How to take a tcpip packet trace with SSLKEYLOGFILE file?

asked 2023-11-10 08:18:49 +0000

Hello, I am trying to view TLS/SSL traffic coming from a Client application (let's call App1) running on zOS side and talking in TLS two way secured connection to a target application (let's call App2) running on Linux server. I could take a TCPIP packet trace using a tcpdump command and want to take advantage from Wireshark capability to decryot SSL traffic (and so able to see exchanged certificates and other interesting things) having a SSLKEYLOGFILE env variable specified and pointing to a SSL Key log file (that needs to be specified as Pre-shared key file). I have specified (I have tried either on client and server side) the following: EXPORT SSLKEYLOGFILE="my_path_name/myssl.log" and capture a TCPIP Packet trace with command: tcpdump -i any -s0 port ppp and host xxxx.xxxx.xxxx.xxxx or host yyyy.yyyy.yyyy.yyyy -w /tmp/mycapture & The result is that tcpip packet trace is indeed created but I cannot create any myssl.log file under SSLKEYLOGFILE specified dir. Do you have some suggestions to provide? How can I take a Wireshark trace with the SSL>> (Pre)-Master-Secret log filename created? Thanks and bye

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-11-10 21:07:15 +0000

André gravatar image

Only the endpoints of a TLS connection can provide the session keys. So the SSLKEYLOGFILE environment needs to be set for the TLS client (i.e. browser) or TLS server (i.e. web-service) -- not tcpdump.
For example if the application is written in Java, you may use the jSSLKeyLog library.

The procedure is described here: https://wiki.wireshark.org/TLS#using-...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-11-10 08:18:49 +0000

Seen: 1,526 times

Last updated: Nov 10 '23