How to Decrypt SSL using Chrome or Firefox and Wireshark in Windows

98729

Created On 10/10/20 05:11 AM - Last Modified 11/01/21 21:11 PM

Anti-spyware

Antivirus

Custom Applications

Custom Signatures

Decryption Port Mirroring

File Blocking

Forensics

Packet Capture

Signatures

SSL Forward Proxy

SSL Inbound Inspection

URL Category

Vulnerability Protection

App-ID

Decryption

Threat Intelligence

Threat Prevention

URL Filtering

PAN-OS

Objective

Capture SSL session keys from encrypted web-browsing or other web application traffic in Chrome or Firefox and use it to decrypt packet captures in Wireshark.

Environment

Windows 7 or Windows 10
Chrome 85 or newer, or Firefox 81 or newer
Wireshark 3.2.7 or newer
SSL/TLS sessions using RSA, DHE or ECDHE key-exchange algorithms.

Procedure

1. Close Chrome or Firefox completely. Make sure all instances are closed.

2. Open the Start menu, and type env, select "Edit environment variables for your account".
Open: Edit environment variables for your account.

Open: Edit environment variables for your account.

3. In the "Environment Variables" window, under "User variables for %user%", click on "New...".
User variables for %user%, click on New...

4. In "New User Variable" window enter:
Variable name: SSLKEYLOGFILE
Variable value: %USERPROFILE%\Desktop\sslkey.log
$Variable name: SSLKEYLOGFILE, Variable value: %USERPROFILE%\Desktop\sslkey.log$

5. Click OK to accept the "New User Variable" entry, and OK to accept and close the new "Environment Variable" window.

6. Launch Wireshark, and start the packet capture.

7. Launch Chrome or Firefox, and verify that the sslkey.log file is created.
Launch Chrome or Firefox and verify that the sslkey.log file is created.

Launch Chrome or Firefox and verify that the sslkey.log file is created.

8. Browse to the website or web application that is being tested and run all actions that need to be captured.

In our example we download the malware test file from the EICAR secure site.
Example: Download EICAR test file from their secure (https) site.

Example: Download EICAR test file from their secure (https) site.

9. Check in Wireshark to confirm that the activity was properly collected, and stop the capture.
Encrypted capture collected.

10. In Wireshark go to [ Edit > Preferences > Protocols > TLS ]. Under (Pre)-Master-Secret log filename, select the sslkey.log file created in Step 7, and click on OK.
Add sslkey.log to the (Pre)-Master-Secret under the TLS protocol preferences.

Add sslkey.log to the (Pre)-Master-Secret under the TLS protocol preferences.

11. The decrypted packet capture is displayed in Wireshark.
Decrypted capture is presented.

12. (Optional) Follow the HTTP Stream to visualize the decrypted contents.
Follow decrypted HTTP Stream.

Note1: The steps may change when Windows or Chrome gets updated.
Note2: This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.

Additional Information

There is currently no way to export the decrypted packet captures from Wireshark in PCAP format, however, there are three options:

Share the PCAP file along with its corresponding sslkey.log file to the intended recipient.
PDU Export of the decrypted data:

To export the decrypted PDU's go to File > Export PDU's to File > OSI Layer 4, or OSI Layer 7.
Save the resulting output to a PCAPNG file.

Follow the Decrypted HTTP stream (Step 12), select "Show and save data as": ASCII, then select "Save as...". This will save the printed stream output in a clear text file.

How to Decrypt SSL using Chrome or Firefox and Wireshark in Windows

Objective

Environment

Procedure

Additional Information

Other users also viewed: