Hi I am using the daily build of Wireshark for monitoring some TLS1.3 traffics. I am wondering if there is any way I can decrypt the traffic?
Specifically, I can successfully decrypt TLS1.2 traffics by exporting the SSLKEYLOGFILE for Firefox to save its session keys and set this path in my SSL preference in Wireshark. However, it doesn't work in TLS1.3.
Is it normal (not supported for TLS1.3)? or just a bug?
asked 19 Jun '17, 11:39
TLS 1.3 is supported in Wireshark upcoming 2.4 (and by extension, the latest development version). Since most messages are encrypted however you need session secrets for decryption.
Unfortunately, NSS (the cryptographic library used by Firefox) has not been updated yet to dump these secrets (its most recent version is 3.31 as of this writing). You can track the latest status of this in https://bugzilla.mozilla.org/show_bug.cgi?id=1287711
BoringSSL (as used by Google Chrome/Chromium) does however support this newer format, so you could give that a try. It is supported by some version (do not know exactly which).
answered 19 Jun '17, 11:46