This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to decrypt TLS1.3 traffics?

1

Hi I am using the daily build of Wireshark for monitoring some TLS1.3 traffics. I am wondering if there is any way I can decrypt the traffic?

Specifically, I can successfully decrypt TLS1.2 traffics by exporting the SSLKEYLOGFILE for Firefox to save its session keys and set this path in my SSL preference in Wireshark. However, it doesn't work in TLS1.3.

Is it normal (not supported for TLS1.3)? or just a bug?

asked 19 Jun '17, 11:39

yctung's gravatar image

yctung
26115
accept rate: 0%


One Answer:

2

TLS 1.3 is supported in Wireshark upcoming 2.4 (and by extension, the latest development version). Since most messages are encrypted however you need session secrets for decryption.

Unfortunately, NSS (the cryptographic library used by Firefox) has not been updated yet to dump these secrets (its most recent version is 3.31 as of this writing). You can track the latest status of this in https://bugzilla.mozilla.org/show_bug.cgi?id=1287711

BoringSSL (as used by Google Chrome/Chromium) does however support this newer format, so you could give that a try. It is supported by some version (do not know exactly which).

answered 19 Jun '17, 11:46

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Wow. That is a helpful answer, saving me lots of time digging into it. Thanks!

(19 Jun '17, 11:52) yctung

More information about the status of TLS 1.3 can be found in: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779 https://github.com/tlswg/tls13-spec/wiki/Implementations (Everything is basically done except for TLS 1.3 0RTT trial decryption, i.e. packets with 0RTT data for which you do not have the keys.)

(19 Jun '17, 11:55) Lekensteyn

Hi. Just a follow up of this problem.

I try the NSS dump function in OpenSSL and also the Chrome (Canary). I can see sslkeylog.log is dumped correctly, but wireshark (nightly build) still can't understand TLS1.3 traffic. Attached an example of TLS1.3 in wireshark: http://imgur.com/a/odAwH

Yu-Chih

(03 Jul '17, 16:02) yctung

Hi @yctung, do you still have problems with the current version of Wireshark? If so, please open a bugreport and attach a pcap+keylog file.

(24 Sep '17, 11:49) Lekensteyn