24

I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?

Tomas Colloca
  • 233
  • 1
  • 2
  • 6

7 Answers7

15

You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:

  1. set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
  2. run chrome with argument e.g.: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
n00b
  • 4,341
  • 5
  • 31
  • 57
TadejP
  • 912
  • 11
  • 21
  • 1
    The syntax for this answer was originally incorrect but I have submitted an edit that fixes it (your path was off slightly and you need a double dash -- for the flag). With that said I had some success off my vpn, but on VPN within corp. network, it seems to work sometimes and others not. not sure what the difference is. – n00b May 01 '17 at 19:38
  • 1
    As of 9/27/2019, Chrome stable (standard, macOS) doesn't work with option 1. I didn't test option 2. However, [Chrome Canary](https://www.google.com/chrome/canary/) works with both options 1 and 2. – rinogo Sep 27 '19 at 19:50
  • 1
    Option 2 works in Mac OS: "open /Applications/Google\ Chrome.app --args --ssl-key-log-file=" – Fer Mena Mar 01 '20 at 06:16
  • how to run chromium with arguments https://www.chromium.org/developers/how-tos/run-chromium-with-flags – Pablo Pazos Jun 06 '20 at 21:37
  • For me, the problem with #1 was **how** I was setting the environment variable. My everyday user account doesn't have local administrative permissions, as per best practice, but a side effect is that I couldn't use System Properties as it elevates to the context of my administrative user account, so I had no choice but to use Command Prompt / PowerShell. For some reason, `set SSLKEYLOGFILE=` doesn't work (Process Monitor shows no attempts to interact with the path), but `setx SSLKEYLOGFILE ""` does, even though the output of `set` for both is identical. – mythofechelon Jul 17 '22 at 11:12
5

With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).

Update: according to @Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • 2
    Firefox has only disabled the key logging feature in one release, they reverted that and the current version does support the feature. Chrome does support this feature with BoringSSL as well. – Lekensteyn Dec 16 '17 at 16:29
  • @Lekensteyn: Thanks for this up-to-date information. I've updated the answer. – Steffen Ullrich Dec 16 '17 at 17:19
3

I have solved it!

You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.

Chrome has a default options let chrome run in background enabled.

Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.

That's why --ssl-key-log-file don't working, chrome stills alive after you click exit button.

nuclear
  • 3,181
  • 3
  • 19
  • 38
2

Try Firefox Developer edition, the above mentioned feature is turned on by default. I tested yesterday only.

user7777122
  • 21
  • 1
2

Some antiviruses (like Avast) inject the SSLKEYLOGFILE environment variable into well-known processes like firefox.exe and chrome.exe. If you rename the browser executable file and launch that, then the environment variable won't be overridden.

faxx1080
  • 21
  • 1
  • 1
2

Try to close your current browsing session, it behave like you just add a new path to PATH, only work from the new session and so on.

Mighty Duck
  • 21
  • 1
-6

Besides what they have already pointed out, I want to show three points that may help. These are tips for Linux (CentOS)

  1. Make sure the file that related to SSLKEYLOGFILE can be written and read, to make sure you can use:

    chmod -R 777 sslkey.txt

  2. Make sure your Firefox or Chrome is opened under the same user with the file mentioned, for example under root.

  3. Find some useful comments here
g00glen00b
  • 41,995
  • 13
  • 95
  • 133
peter
  • 17
  • 1
  • 3
    1. `chmod 640 sslkey.txt` would be preferable. Other/anyone shouldn't have permissions to SSLKEYLOGFILE; you could instead chgrp to a common user group or setfacl if the filesystem supports access control lists. 2. You should not run a browser as root. 3. `setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/dumpcap; chmod o-rx /usr/sbin/dumpcap` avoids granting root permissions to the packet capture utility (which should probably, TBH, be run as a user without read permissions to the current user's files). – Wes Turner Feb 25 '18 at 04:40