Hello, I am trying to view TLS/SSL traffic coming from my Chrome and have been following the basic tutorials from https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way and www.pluralsight.com (Troubleshooting with Wireshark: Analysing and Decrypting TLS Traffic with Wireshark).
As per the instructions I have
- Created a system environment variable "SSLKEYLOGFILE" to a text file called sslkey.log
- Changed the settings of wireshark in Perferences>>Protocols>>SSL>> (Pre)-Master-Secret log filename to the location of sslkey.log
- Closed all instances of Chrome and Wireshark
- Began capturing on Wireshark
- Opened an incognito browser with Chrome and navigated to https://www.pluralsight.com
After that the packets remain encrypted and no Decrypted SSL tab shows. I verified that the paths are not misspelled and the Chrome is writing into the sslkey.log file.
The Cipher Suite being used is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but that didn't seem to be an issue in the tutorials.
I'm not great at interpreting the SSL debug file but it seems like most every frame logs:
decrypt_ssl3_record: no decoder available
. But it also seems that the log file can match the CLIENT_RANDOM entries in the sslkey.log file:
checking keylog line: CLIENT_RANDOM a623ae678bd391724b27ff2686cf11901fb10046744b1234aca43ec5483e67d3 fbdab28bda6a74c5f00b61675500c44fe4ebdac31407a6a891cdb801f5112eb85a7b17db560d7d49ed8783a67b1550df
matched client_random
I'm on Windows 10, Chrome (70.0.3538.110) (64-bit), and Wireshark 2.6.4 (v2.6.4-0-g29d48ec8).
Here are links to the sslkey.log, ssldebug.log, and pcapng: https://drive.google.com/drive/folders/1vEeJI13Dufd_Nz0NIx0BLQDVyYzUVbay?usp=sharing
Any comment or feedback is much appreciated.
Thank You.