Hi I am using the daily build of Wireshark for monitoring some TLS1.3 traffics. I am wondering if there is any way I can decrypt the traffic? Specifically, I can successfully decrypt TLS1.2 traffics by exporting the SSLKEYLOGFILE for Firefox to save its session keys and set this path in my SSL preference in Wireshark. However, it doesn't work in TLS1.3. Is it normal (not supported for TLS1.3)? or just a bug? asked 19 Jun '17, 11:39  yctung |
One Answer:
TLS 1.3 is supported in Wireshark upcoming 2.4 (and by extension, the latest development version). Since most messages are encrypted however you need session secrets for decryption. Unfortunately, NSS (the cryptographic library used by Firefox) has not been updated yet to dump these secrets (its most recent version is 3.31 as of this writing). You can track the latest status of this in https://bugzilla.mozilla.org/show_bug.cgi?id=1287711 BoringSSL (as used by Google Chrome/Chromium) does however support this newer format, so you could give that a try. It is supported by some version (do not know exactly which). answered 19 Jun '17, 11:46  Lekensteyn |
Wow. That is a helpful answer, saving me lots of time digging into it. Thanks!
More information about the status of TLS 1.3 can be found in: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779 https://github.com/tlswg/tls13-spec/wiki/Implementations (Everything is basically done except for TLS 1.3 0RTT trial decryption, i.e. packets with 0RTT data for which you do not have the keys.)
Hi. Just a follow up of this problem.
I try the NSS dump function in OpenSSL and also the Chrome (Canary). I can see sslkeylog.log is dumped correctly, but wireshark (nightly build) still can't understand TLS1.3 traffic. Attached an example of TLS1.3 in wireshark: http://imgur.com/a/odAwH
Yu-Chih
Hi @yctung, do you still have problems with the current version of Wireshark? If so, please open a bugreport and attach a pcap+keylog file.