Ask Your Question
0

Cannot Decrypt SSL/TLS Packets Using Pre-Master Secret Log File

asked 2024-10-23 18:46:43 +0000

dave_w gravatar image

Hi,

I'm trying to decode SSL/TLS packets in WireShark.

I set the Windows environmental variable SSLKEYLOGFILE=C:\Users\Dave\ssl-keys.log Just in case, I rebooted.

I then visited several web sites including the one I'm trying to decrypt messages. I did see the log file was written and the contents appear to be normal.

I then started a capture and used a curl command. I find the encrypted packets and my Pre-Master Secret log filename is correct, as shown in the banner above the packets.

Yet, I'm still not able to see decrypted messages.

What am I doing wrong?

Thanks,

Dave

edit retag flag offensive close merge delete

Comments

Where does your version of "curl" come from? Look at the Properties -> Details of the file to find out.

I ask, because there's a possibility it's a binary that's linked to SChannel which does not observe the SSLKEYLOGFILE env var.

grahamb gravatar imagegrahamb ( 2024-10-24 08:24:00 +0000 )edit

Hi grahamb,

Thanks for the reply. Here's the curl version information. I honestly don't remember where I got curl.

curl 8.9.1 (Windows) libcurl/8.9.1 Schannel zlib/1.3 WinIDN
Release-Date: 2024-07-31
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets

Thanks again,

Dave

dave_w gravatar imagedave_w ( 2024-10-24 16:55:47 +0000 )edit

Same as mine, and as you can see in the version info it's using Schannel, so won't emit pre-master secrets.

Not sure where I got mine, I think it's part of the "standard" Windows install these days. Ahh, see here for more info about the MS build.

grahamb gravatar imagegrahamb ( 2024-10-24 17:06:27 +0000 )edit

Have you tried a bigger hammer?
https://learn.microsoft.com/en-us/win...

$ curl -V
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3

Kind of overkill to load WSL and a linux image just for curl but it does work.
(currently using ancient ubuntu 18.04)

Chuckc gravatar imageChuckc ( 2024-10-24 19:31:23 +0000 )edit

Yeah, actually went that route. Installed WSL but got UBUNTU errors. Investigated those, requiring updates to the BIOS. Searched into that, but couldn't find what was needed by UBUNTU, so I gave up and backed that all out.

dave_w gravatar imagedave_w ( 2024-10-24 22:26:41 +0000 )edit

Looks like (not tested yet) that you could get a very basic poller/query using openssl s_client.
(Openssl list of Windows binaries: https://wiki.openssl.org/index.php/Bi...)

Certainly not all the functionality of curl but may help someone that comes across this in the future.

Chuckc gravatar imageChuckc ( 2024-10-25 02:57:12 +0000 )edit

One of the reasons I'm running the old ubuntu is that it looked painful to upgrade from WSL 1 to WSL 2.
Was your install WSL 2? Is WSL 1 still an option to load?

Chuckc gravatar imageChuckc ( 2024-10-25 11:18:26 +0000 )edit

If the rabbit gets too deep, can it ever dig its way out of the rabbit hole? Yet to be determined...

It appears there is no way to decrypt traffic with curl running under Windows. Correct? I will go back and look at WSL and try again. This involves reboots and BIOS updates.

Is there a way to use openssl s_client to do decrypt the curl traffic? I read the openssl documentation and I don't understand if or how to do this.

I thought there might be a work around by decrypting the traffic between a browser and the server. I can capture the traffic in WireShark, but now I no longer see TLS but QUIC. (Ooops, slipped further into that rabbit hole.) It appears there is no way to decrypt QUIC packets. True?

Here's my basic problem:

Using a browser, I can communicate with the server.

Using ...(more)

dave_w gravatar imagedave_w ( 2024-10-25 15:01:02 +0000 )edit

The openssl cli took me to the "certificates" rabbit hole which will require more research. :-)

Not sure if your wsl install was defaulting to version 2 but see here that it requires tighter os integration:
https://learn.microsoft.com/en-us/win...
You might have success by forcing it to be a version 1 install which may not have the BIOS issues.

C:\>wsl -l -v
  NAME            STATE           VERSION
* Ubuntu-18.04    Stopped         1

https://learn.microsoft.com/en-us/win...

To set the default version to WSL 1 or WSL 2 when a new Linux distribution is installed, use the command: 

wsl --set-default-version "Version#", replacing "Version#" with either 1 or 2.
Chuckc gravatar imageChuckc ( 2024-10-25 16:28:07 +0000 )edit

I don't get an option to choose which version of WSL to use.

When Ubuntu runs, I get:

WslRegisterDistribution failed with error: 0x80370102 Please enable the Virtual Machine Platform Windows feature and ensure virtualization is enabled in the BIOS.

Virtual Machine Platform is installed. I see no way to change virtualization in the BIOS.

I just fell to the bottom of this rabbit hole and am now dead.

dave_w gravatar imagedave_w ( 2024-10-25 19:11:26 +0000 )edit
see more comments

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-11-09 19:44:19 +0000

dave_w gravatar image

Yay! Got it.

First installed the Windows WSL option.

Then edited .bashrc to create the SSLKEYLOGFILE.

Next, ran WireShark.

Then did the curl command to update the log file and capture on WireShark

I had to search the web to find out how to find the log file in ubuntu, then copied that to a more convenient Windows location.

Finally I selected the Pre-master Secret Logfile created by the curl command.

And then everything was decoded.

Thanks to all for your help!!!

Dave

P.S. The reason I got hung up initially is because I was running curl and WireShark on my MacBook Pro running windows. I could never enable virtualization on the Mac, so I moved to a Windows only computer to get this to work.

edit flag offensive delete link more

Comments

Mac running Windows VM running WSL running Ubuntu was probably "a bridge too far".
Glad it worked out. (and makes note to ask "what kind of Windows" in the future.) :-)

Chuckc gravatar imageChuckc ( 2024-11-09 19:49:16 +0000 )edit

I'm running Win10 natively on the Mac with an Intel processor. Of course that all goes away next year since my hardware doesn't support Win11 and Macs don't use Intel anymore. But yes, it was a bridge too far. Thanks.

dave_w gravatar imagedave_w ( 2024-11-09 19:58:51 +0000 )edit

FWIW, I was able to use vcpkg to build curl that was configured to use OpenSSL as the TLS library, my recipe follows using PowerShell:

  1. Install vcpkg, git clone https://github.com/microsoft/vcpkg.git
  2. Bootstrap vcvkg, cd vcpkg; .\bootstrap-vcpkg.bat
  3. Invoke vcpkg to build\install curl with the required options, .\vcpkg.exe install curl[openssl,tool]:x64-windows --recurse
  4. Set your SSLKEYLOGFILE env var, $env:SSLKEYLOGFILE="C:\temp\curl-keylog.txt"
  5. Set the Wireshark TLS preferences to read the keylog file.
  6. Start the Wireshark capture.
  7. Invoke the newly built version of curl as required, .\installed\x64-windows\tools\curl\curl.exe curl ...
  8. Go look at your decrypted data.
grahamb gravatar imagegrahamb ( 2024-11-11 14:18:59 +0000 )edit

Do you think its possible to do the same for ssh on Windows?
SSH decryption encrypted packet - possible?
The question isn't specific to Windows but you seem to be on a roll. :-)

Chuckc gravatar imageChuckc ( 2024-11-11 14:28:53 +0000 )edit

The MS blessed version of OpenSSH (I have 9.8p1 from here) uses LibreSSL 3.9.2 and AFAIK, no version of LibreSSL supports SSLKEYLOGFILE.

grahamb gravatar imagegrahamb ( 2024-11-11 16:17:58 +0000 )edit
add a comment
0

answered 2024-10-24 17:10:51 +0000

grahamb gravatar image

As per the comments above, the curl binary used is built with Schannel so won't emit the secrets to the log file.

edit flag offensive delete link more

Comments

Just downloaded directly from curl.de to get this:

curl 8.10.1 (x86_64-w64-mingw32) libcurl/8.10.1 LibreSSL/4.0.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 WinIDN libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0 ngtcp2/1.8.1 nghttp3/1.6.0
Release-Date: 2024-09-18
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli CAcert HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd

Still does not decrypt.

dave_w gravatar imagedave_w ( 2024-10-24 17:30:56 +0000 )edit

May work for TLS 1.2 but not 1.3?
13672: SSLKEYLOGFILE not working with curl-for-win build

https://github.com/curl/curl/blob/mas...

SSLKEYLOGFILE

If you set this environment variable to a filename, curl stores TLS secrets from its connections in that file when invoked to enable you to analyze the TLS traffic in real time using network analyzing tools such as Wireshark. This works with the following TLS backends: OpenSSL, LibreSSL (TLS 1.2 max), BoringSSL, GnuTLS and wolfSSL.

Chuckc gravatar imageChuckc ( 2024-10-24 19:06:12 +0000 )edit

I still have not successfully decrypted traffic either with a browser or curl under Windows.

The debugging is for a specific purpose. Traffic from my IoT is being blocked by Cloudflare with either a 301 Permanently Moved or 403 Forbidden. Yet a curl command does work. Determining why the curl command works yet my IoT does not might help.

One more thing. Everything worked perfectly between my IoT and the API server until the API server moved behind the Cloudflare secret handshake.

dave_w gravatar imagedave_w ( 2024-11-05 16:43:15 +0000 )edit

OK, I have ubuntu installed and set SSLKEYLOGFILE. My assumption is running curl under ubuntu would then create the logfile, but apparently not. What am I doing wrong now? Thanks!

dave_w gravatar imagedave_w ( 2024-11-09 16:46:25 +0000 )edit

What version info do you get for curl?

~$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
Chuckc gravatar imageChuckc ( 2024-11-09 17:09:34 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-10-23 18:46:43 +0000

Seen: 749 times

Last updated: Nov 09 '24

Related questions

Disable the Diffie-Hellman cipher in Windows 10

ssl decrypt

Decrypt ssl socket JSON-RPC: decrypt_ssl3_record: no decoder available

mitmproxy+wireshark: SSL decryption with sslkey

TLS/SSL - Should this be decryptable?

Unable to decrypt HTTPS TLSv1.2 traffic with wireshark (sha1WithRSAEncryption)

"SSL decode as" for more protocols

rdp decryption over ssl

Wireshark SSLKEYLOGFILE decryption not working

SSL Dissector having public key,private key, DH Params: possibile?