Ask Your Question
0

Cannot Decrypt SSL/TLS Packets Using Pre-Master Secret Log File

asked 2024-10-23 18:46:43 +0000

dave_w gravatar image

Hi,

I'm trying to decode SSL/TLS packets in WireShark.

I set the Windows environmental variable SSLKEYLOGFILE=C:\Users\Dave\ssl-keys.log Just in case, I rebooted.

I then visited several web sites including the one I'm trying to decrypt messages. I did see the log file was written and the contents appear to be normal.

I then started a capture and used a curl command. I find the encrypted packets and my Pre-Master Secret log filename is correct, as shown in the banner above the packets.

Yet, I'm still not able to see decrypted messages.

What am I doing wrong?

Thanks,

Dave

edit retag flag offensive close merge delete

Comments

Where does your version of "curl" come from? Look at the Properties -> Details of the file to find out.

I ask, because there's a possibility it's a binary that's linked to SChannel which does not observe the SSLKEYLOGFILE env var.

grahamb gravatar imagegrahamb ( 2024-10-24 08:24:00 +0000 )edit

Hi grahamb,

Thanks for the reply. Here's the curl version information. I honestly don't remember where I got curl.

curl 8.9.1 (Windows) libcurl/8.9.1 Schannel zlib/1.3 WinIDN
Release-Date: 2024-07-31
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets

Thanks again,

Dave

dave_w gravatar imagedave_w ( 2024-10-24 16:55:47 +0000 )edit

Same as mine, and as you can see in the version info it's using Schannel, so won't emit pre-master secrets.

Not sure where I got mine, I think it's part of the "standard" Windows install these days. Ahh, see here for more info about the MS build.

grahamb gravatar imagegrahamb ( 2024-10-24 17:06:27 +0000 )edit

Have you tried a bigger hammer?
https://learn.microsoft.com/en-us/win...

$ curl -V
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3

Kind of overkill to load WSL and a linux image just for curl but it does work.
(currently using ancient ubuntu 18.04)

Chuckc gravatar imageChuckc ( 2024-10-24 19:31:23 +0000 )edit

Yeah, actually went that route. Installed WSL but got UBUNTU errors. Investigated those, requiring updates to the BIOS. Searched into that, but couldn't find what was needed by UBUNTU, so I gave up and backed that all out.

dave_w gravatar imagedave_w ( 2024-10-24 22:26:41 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-11-09 19:44:19 +0000

dave_w gravatar image

Yay! Got it.

First installed the Windows WSL option.

Then edited .bashrc to create the SSLKEYLOGFILE.

Next, ran WireShark.

Then did the curl command to update the log file and capture on WireShark

I had to search the web to find out how to find the log file in ubuntu, then copied that to a more convenient Windows location.

Finally I selected the Pre-master Secret Logfile created by the curl command.

And then everything was decoded.

Thanks to all for your help!!!

Dave

P.S. The reason I got hung up initially is because I was running curl and WireShark on my MacBook Pro running windows. I could never enable virtualization on the Mac, so I moved to a Windows only computer to get this to work.

edit flag offensive delete link more

Comments

Mac running Windows VM running WSL running Ubuntu was probably "a bridge too far".
Glad it worked out. (and makes note to ask "what kind of Windows" in the future.) :-)

Chuckc gravatar imageChuckc ( 2024-11-09 19:49:16 +0000 )edit

I'm running Win10 natively on the Mac with an Intel processor. Of course that all goes away next year since my hardware doesn't support Win11 and Macs don't use Intel anymore. But yes, it was a bridge too far. Thanks.

dave_w gravatar imagedave_w ( 2024-11-09 19:58:51 +0000 )edit

FWIW, I was able to use vcpkg to build curl that was configured to use OpenSSL as the TLS library, my recipe follows using PowerShell:

  1. Install vcpkg, git clone https://github.com/microsoft/vcpkg.git
  2. Bootstrap vcvkg, cd vcpkg; .\bootstrap-vcpkg.bat
  3. Invoke vcpkg to build\install curl with the required options, .\vcpkg.exe install curl[openssl,tool]:x64-windows --recurse
  4. Set your SSLKEYLOGFILE env var, $env:SSLKEYLOGFILE="C:\temp\curl-keylog.txt"
  5. Set the Wireshark TLS preferences to read the keylog file.
  6. Start the Wireshark capture.
  7. Invoke the newly built version of curl as required, .\installed\x64-windows\tools\curl\curl.exe curl ...
  8. Go look at your decrypted data.
grahamb gravatar imagegrahamb ( 2024-11-11 14:18:59 +0000 )edit

Do you think its possible to do the same for ssh on Windows?
SSH decryption encrypted packet - possible?
The question isn't specific to Windows but you seem to be on a roll. :-)

Chuckc gravatar imageChuckc ( 2024-11-11 14:28:53 +0000 )edit

The MS blessed version of OpenSSH (I have 9.8p1 from here) uses LibreSSL 3.9.2 and AFAIK, no version of LibreSSL supports SSLKEYLOGFILE.

grahamb gravatar imagegrahamb ( 2024-11-11 16:17:58 +0000 )edit
0

answered 2024-10-24 17:10:51 +0000

grahamb gravatar image

As per the comments above, the curl binary used is built with Schannel so won't emit the secrets to the log file.

edit flag offensive delete link more

Comments

Just downloaded directly from curl.de to get this:

curl 8.10.1 (x86_64-w64-mingw32) libcurl/8.10.1 LibreSSL/4.0.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 WinIDN libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0 ngtcp2/1.8.1 nghttp3/1.6.0
Release-Date: 2024-09-18
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli CAcert HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd

Still does not decrypt.

dave_w gravatar imagedave_w ( 2024-10-24 17:30:56 +0000 )edit

May work for TLS 1.2 but not 1.3?
13672: SSLKEYLOGFILE not working with curl-for-win build

https://github.com/curl/curl/blob/mas...

SSLKEYLOGFILE

If you set this environment variable to a filename, curl stores TLS secrets from its connections in that file when invoked to enable you to analyze the TLS traffic in real time using network analyzing tools such as Wireshark. This works with the following TLS backends: OpenSSL, LibreSSL (TLS 1.2 max), BoringSSL, GnuTLS and wolfSSL.

Chuckc gravatar imageChuckc ( 2024-10-24 19:06:12 +0000 )edit

I still have not successfully decrypted traffic either with a browser or curl under Windows.

The debugging is for a specific purpose. Traffic from my IoT is being blocked by Cloudflare with either a 301 Permanently Moved or 403 Forbidden. Yet a curl command does work. Determining why the curl command works yet my IoT does not might help.

One more thing. Everything worked perfectly between my IoT and the API server until the API server moved behind the Cloudflare secret handshake.

dave_w gravatar imagedave_w ( 2024-11-05 16:43:15 +0000 )edit

OK, I have ubuntu installed and set SSLKEYLOGFILE. My assumption is running curl under ubuntu would then create the logfile, but apparently not. What am I doing wrong now? Thanks!

dave_w gravatar imagedave_w ( 2024-11-09 16:46:25 +0000 )edit

What version info do you get for curl?

~$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
Chuckc gravatar imageChuckc ( 2024-11-09 17:09:34 +0000 )edit

Sorry. My bad. I had to dust off my old UNIX and Vi skills. I was able to put the log file where I wanted. Now I need to figure out how to use it in my environment. Have to solve the ubuntu/Windows issue next. Stay tuned... Thanks again!

dave_w gravatar imagedave_w ( 2024-11-09 19:07:29 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-10-23 18:46:43 +0000

Seen: 216 times

Last updated: Nov 09