How to decrypt TLS traffic in Wireshark
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. TLS uses a combination of public-key and symmetric-key cryptography, making it ideal for securing communications over the Internet. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
TLS provides a number of benefits, chief among them being confidentiality and integrity of communications. When TLS is used, communications are encrypted, making it difficult for anyone to eavesdrop on them. Additionally, TLS can authenticate both sides of a communication, ensuring that data is not tampered with.
TLS data decryption in Wireshark is interesting for a number of reasons. For one, it can help to improve the accuracy of packet captures by allowing Wireshark to more accurately identify and decode TLS-encrypted traffic. Additionally, decryption can also help to reveal otherwise hidden information such as the contents of TLS-encrypted application data. Finally, decrypting TLS data can also be useful for troubleshooting purposes, as it can help to identify potential problems with TLS configuration or implementation.
Different types of key exchanges
The most common type of encryption used with TLS used to be RSA, which can be decrypted using Wireshark's RSA keys list. To decrypt these exchanges, you need to use Wireshark's TLS decryption feature, and you need the server's private key (a *.pem
file).
Nowadays, ephemeral Diffie-Hellmann is more prevalent. You can decrypt this kind of traffic as well. However, the big bummer is that you must record the used keys while capturing with Wireshark. The decryption keys are not permanent but temporary, meaning they change for every connection. This is why we can't retroactively export a PEM file from a server and decrypt the TLS traffic. We need to capture the ephemeral while they are being used by the browser, server or proxy (TLS inspection device).
ECDHE Capture Setup
A typical capture setup would be a SPAN port on a managed switch, a TAP, a firewall, or just capturing directly on the client or server. In the diagram, we capture a device different than the one where the SSLKEYLOGFILE is written. In a simple setup, both could be the same device. For example, if you capture the browser's traffic on your local machine.
ECDHE Decryption
To decrypt a PCAP with Wireshark you need to have an SSLKEYLOGFILE
. This file can be created in a variety of ways depending on what device you control. You need to configure to log encryption keys to a SSLKEYLOGFILE before you start capturing the network traffic or you won't be able to decrypt the captured traffic.
How to get the SSLKEYLOGFILE
Set the SSLKEYLOGFILE environment variable either globally or just start your application from a terminal.
It is supported by Firefox, Chrome, Curl, mitmproxy, Exim,
Windows
Windows CMD
C:\> set SSLKEYLOGFILE=%USERPROFILE%/Desktop/sslkeylog.log
C:\> echo %SSLKEYLOGFILE%
Windows PowerShell
PS C:\> $env:SSLKEYLOGFILE = "$env:USERPROFILE\sslkeylog.txt"
PS C:\> $env:SSLKEYLOGFILE
Chrome
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\Desktop\keylog.txt
Chrome with clean profile on macOS
SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/tmp-google
Firefox
$env:SSLKEYLOGFILE = "%USERPROFILE%\Desktop\ffkeylog.txt";
'C:\Program Files\Mozilla Firefox\firefox.exe'
Linux / macOS
export SSLKEYLOGFILE=$HOME/sslkeylog.log
echo $SSLKEYLOGFILE
F5
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command (11.6.x)
A typical keylog file looks like this:
Here is a schema of the whole workflow for ECDHE
Using Wireshark
To decrypt TLS data using Wireshark or editcap
on both Windows and macOS, you'll need two files: the PCAP file and the SSLKEYLOGFILE
.
For Wireshark:
- Open Wireshark.
- Go to "Preferences."
- Navigate to "Protocols" -> "TLS."
- In the TLS settings, find the option to set the (Pre)-Master-Secret log filename.
- Enter the path to your
SSLKEYLOGFILE
.
This will allow Wireshark to decrypt the TLS data using the provided key log file.
Using editcap
A nice trick is to use the editcap
tool to inject the keylog file into the PCAP file. With the PCAPNG format, it is possible to create a bundle that merges the two files (pcap and keylog files) into a single file. Opening the new file, you can inspect the decrypted traffic in Wireshark without having to configure anything else.
This is the command line for editcap
editcap --inject-secrets tls,.\keylog.txt .\tls.pcapng .\tls-encrypt-w-keys.pcapng
Just be aware not to send the PCAP with the keys to anybody that shouldn't have access to the decrypted contents of your PCAP.
What to do if data doesn't get decrypted
The following TCP protocol preferences are also required to enable TLS decryption:
- Allow subdissector to reassemble TCP streams. Enabled by default.
- Reassemble out-of-order segments (since Wireshark 3.0, disabled by default).
RSA Decryption
To decrypt RSA you just need the PCAP and a PEM file.