How to Decrypt SSL using Chrome or Firefox and Wireshark in Windows
126484
Created On 10/10/20 05:11 AM - Last Modified 10/16/24 23:55 PM
Objective
Capture SSL session keys from encrypted web-browsing or other web application traffic in Chrome or Firefox and use it to decrypt packet captures in Wireshark.
Environment
- Windows 7 or Windows 10
- Chrome 85 or newer, or Firefox 81 or newer
- Wireshark 3.2.7 or newer
- SSL/TLS sessions using RSA, DHE or ECDHE key-exchange algorithms.
Procedure
1. Close Chrome or Firefox completely. Make sure all instances are closed.
2. Open the Start menu, and type env, select "Edit environment variables for your account".
3. In the "Environment Variables" window, under "User variables for %user%", click on "New...".
4. In "New User Variable" window enter:
Variable name: SSLKEYLOGFILE
Variable value: %USERPROFILE%\Desktop\sslkey.log
5. Click OK to accept the "New User Variable" entry, and OK to accept and close the new "Environment Variable" window.
6. Launch Wireshark, and start the packet capture.
7. Launch Chrome or Firefox, and verify that the sslkey.log file is created.
8. Browse to the website or web application that is being tested and run all actions that need to be captured.
In our example we download the malware test file from the EICAR secure site.
9. Check in Wireshark to confirm that the activity was properly collected, and stop the capture.
10. In Wireshark go to [ Edit > Preferences > Protocols > TLS ]. Under (Pre)-Master-Secret log filename, select the sslkey.log file created in Step 7, and click on OK.
11. The decrypted packet capture is displayed in Wireshark.
12. (Optional) Follow the HTTP Stream to visualize the decrypted contents.
Note1: The steps may change when Windows or Chrome gets updated.
Note2: This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.
Additional Information
Troubleshooting issues below
- The key log file is created but after loading it in Wireshark sessions are not decrypted
- After setting the SSLKEYLOGFILE environment variable the key log file does not appear
Use tshark to decrypt and export packets
There is currently no way to export the decrypted packet captures from Wireshark in PCAP format, however, this task can be achieved using tshark, which is the command-line counterpart of Wireshark. It allows you to extract and save the decrypted data.
-
Ensure you have the (Pre)-Master-Secret keys available.
-
Run
tshark
with the TLS key log and appropriate decryption settings:tshark -r original.pcap -o tls.keylog_file:/path/to/your/tls_keys.log -o tls.desegment_ssl_records:TRUE -o tls.desegment_ssl_application_data:TRUE -w decrypted.pcap
-r original.pcap
: Your original PCAP file with encrypted TLS packets.-o tls.keylog_file
: Path to your TLS key log file.-o tls.desegment_ssl_records
: Ensures proper segmentation of SSL/TLS records.-o tls.desegment_ssl_application_data
: Ensures the SSL/TLS application data is properly reassembled.
The
-w decrypted.pcap
flag will write the decrypted packets to a new output file.