Ask Your Question
0

Wireshark SSLKEYLOGFILE decryption not working

asked 2018-11-25 05:01:16 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello, I am trying to view TLS/SSL traffic coming from my Chrome and have been following the basic tutorials from https://jimshaver.net/2015/02/11/decr... and www.pluralsight.com (Troubleshooting with Wireshark: Analysing and Decrypting TLS Traffic with Wireshark).

As per the instructions I have

  1. Created a system environment variable "SSLKEYLOGFILE" to a text file called sslkey.log
  2. Changed the settings of wireshark in Perferences>>Protocols>>SSL>> (Pre)-Master-Secret log filename to the location of sslkey.log
  3. Closed all instances of Chrome and Wireshark
  4. Began capturing on Wireshark
  5. Opened an incognito browser with Chrome and navigated to https://www.pluralsight.com

After that the packets remain encrypted and no Decrypted SSL tab shows. I verified that the paths are not misspelled and the Chrome is writing into the sslkey.log file.

The Cipher Suite being used is TLS ECDHE RSA WITH AES 128 GCM SHA256 but that didn't seem to be an issue in the tutorials.

I'm not great at interpreting the SSL debug file but it seems like most every frame logs: decrypt_ssl3_record: no decoder available. But it also seems that the log file can match the CLIENT_RANDOM entries in the sslkey.log file:

checking keylog line: CLIENT_RANDOM a623ae678bd391724b27ff2686cf11901fb10046744b1234aca43ec5483e67d3 fbdab28bda6a74c5f00b61675500c44fe4ebdac31407a6a891cdb801f5112eb85a7b17db560d7d49ed8783a67b1550df
matched client_random

I'm on Windows 10, Chrome (70.0.3538.110) (64-bit), and Wireshark 2.6.4 (v2.6.4-0-g29d48ec8).

Here are links to the sslkey.log, ssldebug.log, and pcapng: https://drive.google.com/drive/folder...

Any comment or feedback is much appreciated.

Thank You.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-12-19 22:46:29 +0000

Lekensteyn gravatar image

While the key log file is non-empty, some keys are still missing.

To cross-reference the keys from the key log file, note that the Key Log File uses the following format for TLS 1.2 secrets:

CLIENT_RANDOM <ClientRandom> <MasterSecret>

This <ClientRandom> is matched against the Random field in the Client Hello message. This command lists the frame number, the Random field and the Server Name for Client Hello messages:

tshark -Y "ssl.handshake.random and ssl.handshake.type==1" -Tfields -e frame.number -e ssl.handshake.random -e ssl.handshake.extensions_server_name -r ssl-decryption-pluralsight.pcapng

We can find a couple of entries, for example:

109     a6268092b93dae607b43fc33d77ef0c44075f24607349f5e12b28ea7fd9d1c4d        mtalk.google.com
115     a623ae678bd391724b27ff2686cf11901fb10046744b1234aca43ec5483e67d3        clientservices.googleapis.com
....
1018    275cfd0cd3bb309e8254ad9e317784d8f83b619b98acbf8946fac6a8f89abd5e        www.pluralsight.com
1245    493e5e9cd87b76d38a18e1272cf4d57cc8551d7cbd349598f53b1445235bfc49        www.pluralsight.com
1248    53c93f64580ac08453d9ba1173a46d5d9b3267b96cedacea800647ba22737500        www.pluralsight.com
...
1960    267cf316f2ab4e6d32400dfc134dca093887cf14c0e35ce3178ca0573a7e69d9        s.ytimg.com

Of all entries, only a few appear to have a match against the key log file (109, 115, 172, 1641, 1960). All others have no match. Let's investigate packet 1018. Its Client Hello looks very unusual, it has a Heartbeat extension and advertises a plethora of cipher suites (53 in total, including uncommon ones such as fixed-DH with DSA (TLS_DH_DSS_WITH_AES_256_GCM_SHA384) and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA). This looks like a client (using OpenSSL?) that has everything enabled by default.

Compare that against frame 109 which advertises only 17 cipher suites, includes GREASE and supported_versions (to advertise TLS 1.3 support). This looks more like a modern browser (Chrome).

My guess is that you have some kind of "antivirus software" installed that intercepts traffic from Chrome and then performs its own external connection. The SSLKEYLOGFILE environment variable likely has no effect on this other piece of software as it requires support from the application (such as Firefox or Chrome).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

3 followers

Stats

Asked: 2018-11-25 05:01:16 +0000

Seen: 4,797 times

Last updated: Dec 19 '18