ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Decrypt TLS sessions using Wireshark

book

Article ID: 173402

calendar_today

Updated On:

Products

ProxySG Software - SGOS Web Security Service - WSS

Issue/Introduction

You would like to decrypt TLS sessions in Wireshark to inspect the tunneled protocols. For scenarios with a forward proxy deployment, the technique described here can provide decrypted SSL packet capture between the client and proxy.

Resolution

Applications like Mozilla Firefox and Google Chrome support symmetric session key logging to a file. Wireshark has the functionality to read the session keys from this file and use them to decrypt the TLS sessions.

Configuration Steps

  1. In Windows, navigate to Control Panel > System and Security > System then click Advanced System Settings



  2. On the System Properties dialog that appears, click Environment Variables



  3. Click New... to create a new user variable and then fill out the dialog with the variable name SSLKEYLOGFILE and set the value to the file path you would like keys written to, e.g: C:\temp\sslkeylog.log.



  4. Restart the computer
  5. In Wireshark, navigate to Edit and open Preferences



  6. Expand the Protocols menu



  7. If you are using Wireshark 2.9+, navigate to the TLS protocol. If you are using a previous version of Wireshark, navigate to SSL
  8. For (Pre)-Master-Secret log filename, click Browse then select the log file you created for step (3).



  9. You will now notice packets containing the protocol under the TLS layer. In addition, there will be a Decrypted TLS tab at the bottom of the packet bytes view.

Attachments