Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Decrypt SSL using Chrome or Firefox and Wireshark in Lin... - Knowledge Base - Palo Alto Networks

How to Decrypt SSL using Chrome or Firefox and Wireshark in Linux

42364
Created On 07/11/22 21:23 PM - Last Modified 10/16/24 23:56 PM


Objective


Capture SSL session keys from encrypted web-browsing or other web application traffic in Chrome or Firefox and use it to decrypt packet captures in Wireshark.

Environment


  • Linux
  • Chrome 85 or newer, or Firefox 81 or newer
  • Wireshark 3.2.7 or newer
  • SSL/TLS sessions using RSA, DHE or ECDHE key-exchange algorithms.


Procedure


1. Close Chrome or Firefox completely. Make sure all instances are closed.

2. Open a Terminal window and set the SSLKEYLOGFILE environment variable using the following command.
export SSLKEYLOGFILE="/home/$USER/sslkey.log"
Set SSLKEYLOGFILE environmental variable.
Do not close the terminal window.

3. Launch Wireshark or tcpdump, and start the packet capture.

4. Launch Chrome or Firefox using the terminal window that was used to set the environmental variable in step 2. (The environment variable is set only for that specific Terminal session).

For Chrome:
chromium-browser &

For Firefox:
firefox &
Launch Chromium or Firefox from the same terminal that has set the SSKLEYLOGFILE environmental variable.

5. Use the terminal to verify that the sslkey.log file is created.

file /home/$USER/sslkey.log

The expected output if the file is properly created will be:
/home/user1/sslkey.log: ASCII text
Verify that the sslkey.log file has been created.
6. Browse to the website or web application that is being tested and run all actions that need to be captured. 

In our example we download the malware test file from the EICAR secure site. 
Download encrypted content using your web-browser.
7. Check in Wireshark to confirm that the activity was properly collected, and stop the capture.
Verify that the capture worked properly.
8. In Wireshark go to [ Edit > Preferences > Protocols > SSL ]. Under (Pre)-Master-Secret log filename, select the sslkey.log file created in Step 5, and click on OK.
Populate the (Pre)-Master-Secret log filename.

9. The decrypted packet capture is displayed in Wireshark.
The decrypted SSL session is exposed in Wireshark.

10. (Optional) Follow the HTTP Stream to visualize the decrypted contents.
Follow HTTP Stream to visualize the decrypted data.
Note1: This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.


Additional Information


Use tshark to decrypt and export packets

There is currently no way to export the decrypted packet captures from Wireshark in PCAP format, however, this task can be achieved using tshark, which is the command-line counterpart of Wireshark. It allows you to extract and save the decrypted data.

  1. Ensure you have the (Pre)-Master-Secret keys available.

  2. Run tshark with the TLS key log and appropriate decryption settings:

     
    tshark -r original.pcap -o tls.keylog_file:/path/to/your/tls_keys.log -o tls.desegment_ssl_records:TRUE -o tls.desegment_ssl_application_data:TRUE -w decrypted.pcap

    • -r original.pcap: Your original PCAP file with encrypted TLS packets.
    • -o tls.keylog_file: Path to your TLS key log file.
    • -o tls.desegment_ssl_records: Ensures proper segmentation of SSL/TLS records.
    • -o tls.desegment_ssl_application_data: Ensures the SSL/TLS application data is properly reassembled.

    The -w decrypted.pcap flag will write the decrypted packets to a new output file. 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkvECAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language