How to Decrypt SSL using Chrome or Firefox and Wireshark in Linux
33234
Created On 07/11/22 21:23 PM - Last Modified 09/09/24 19:32 PM
Objective
Capture SSL session keys from encrypted web-browsing or other web application traffic in Chrome or Firefox and use it to decrypt packet captures in Wireshark.
Environment
- Linux
- Chrome 85 or newer, or Firefox 81 or newer
- Wireshark 3.2.7 or newer
- SSL/TLS sessions using RSA, DHE or ECDHE key-exchange algorithms.
Procedure
1. Close Chrome or Firefox completely. Make sure all instances are closed.
2. Open a Terminal window and set the SSLKEYLOGFILE environment variable using the following command.
export SSLKEYLOGFILE="/home/$USER/sslkey.log"
Do not close the terminal window. |
3. Launch Wireshark or tcpdump, and start the packet capture.
4. Launch Chrome or Firefox using the terminal window that was used to set the environmental variable in step 2. (The environment variable is set only for that specific Terminal session).
For Chrome:
chromium-browser &
For Firefox:
firefox &
5. Use the terminal to verify that the sslkey.log file is created.
file /home/$USER/sslkey.log
The expected output if the file is properly created will be:
/home/user1/sslkey.log: ASCII text
6. Browse to the website or web application that is being tested and run all actions that need to be captured.
In our example we download the malware test file from the EICAR secure site.
7. Check in Wireshark to confirm that the activity was properly collected, and stop the capture.
8. In Wireshark go to [ Edit > Preferences > Protocols > SSL ]. Under (Pre)-Master-Secret log filename, select the sslkey.log file created in Step 5, and click on OK.
9. The decrypted packet capture is displayed in Wireshark.
10. (Optional) Follow the HTTP Stream to visualize the decrypted contents.
Note1: This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.
Additional Information
There is currently no way to export the decrypted packet captures from Wireshark in PCAP format, however, there are three options:
- Share the PCAP file along with its corresponding sslkey.log file to the intended recipient.
- PDU Export of the decrypted data:
Save the resulting output to a PCAPNG file.
- Follow the Decrypted HTTP stream (Step 10), select "Show and save data as": ASCII, then select "Save as...". This will save the printed stream output in a clear text file.