Hi I am using the daily build of Wireshark for monitoring some TLS1.3 traffics. I am wondering if there is any way I can decrypt the traffic? Specifically, I can successfully decrypt TLS1.2 traffics by exporting the SSLKEYLOGFILE for Firefox to save its session keys and set this path in my SSL preference in Wireshark. However, it doesn't work in TLS1.3. Is it normal (not supported for TLS1.3)? or just a bug? |
TLS 1.3 is supported in Wireshark upcoming 2.4 (and by extension, the latest development version). Since most messages are encrypted however you need session secrets for decryption. Unfortunately, NSS (the cryptographic library used by Firefox) has not been updated yet to dump these secrets (its most recent version is 3.31 as of this writing). You can track the latest status of this in https://bugzilla.mozilla.org/show_bug.cgi?id=1287711 BoringSSL (as used by Google Chrome/Chromium) does however support this newer format, so you could give that a try. It is supported by some version (do not know exactly which). Wow. That is a helpful answer, saving me lots of time digging into it. Thanks!
(19 Jun '17, 11:52)
yctung
More information about the status of TLS 1.3 can be found in: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779 https://github.com/tlswg/tls13-spec/wiki/Implementations (Everything is basically done except for TLS 1.3 0RTT trial decryption, i.e. packets with 0RTT data for which you do not have the keys.)
(19 Jun '17, 11:55)
Lekensteyn
Hi. Just a follow up of this problem. I try the NSS dump function in OpenSSL and also the Chrome (Canary). I can see sslkeylog.log is dumped correctly, but wireshark (nightly build) still can't understand TLS1.3 traffic. Attached an example of TLS1.3 in wireshark: http://imgur.com/a/odAwH Yu-Chih
(03 Jul '17, 16:02)
yctung
Hi @yctung, do you still have problems with the current version of Wireshark? If so, please open a bugreport and attach a pcap+keylog file.
(24 Sep '17, 11:49)
Lekensteyn
|