Wireshark SSLKEYLOGFILE decryption not working

asked 2018-11-25 05:01:16 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello, I am trying to view TLS/SSL traffic coming from my Chrome and have been following the basic tutorials from https://jimshaver.net/2015/02/11/decr... and www.pluralsight.com (Troubleshooting with Wireshark: Analysing and Decrypting TLS Traffic with Wireshark).

As per the instructions I have

  1. Created a system environment variable "SSLKEYLOGFILE" to a text file called sslkey.log
  2. Changed the settings of wireshark in Perferences>>Protocols>>SSL>> (Pre)-Master-Secret log filename to the location of sslkey.log
  3. Closed all instances of Chrome and Wireshark
  4. Began capturing on Wireshark
  5. Opened an incognito browser with Chrome and navigated to https://www.pluralsight.com

After that the packets remain encrypted and no Decrypted SSL tab shows. I verified that the paths are not misspelled and the Chrome is writing into the sslkey.log file.

The Cipher Suite being used is TLS ECDHE RSA WITH AES 128 GCM SHA256 but that didn't seem to be an issue in the tutorials.

I'm not great at interpreting the SSL debug file but it seems like most every frame logs: decryptssl3record: no decoder available. But it also seems that the log file can match the CLIENT_RANDOM entries in the sslkey.log file:

checking keylog line: CLIENTRANDOM a623ae678bd391724b27ff2686cf11901fb10046744b1234aca43ec5483e67d3 fbdab28bda6a74c5f00b61675500c44fe4ebdac31407a6a891cdb801f5112eb85a7b17db560d7d49ed8783a67b1550df matched clientrandom

I'm on Windows 10, Chrome (70.0.3538.110) (64-bit), and Wireshark 2.6.4 (v2.6.4-0-g29d48ec8).

Here are links to the sslkey.log, ssldebug.log, and pcapng: https://drive.google.com/drive/folder...

Any comment or feedback is much appreciated.

Thank You.

edit retag flag offensive close merge delete