.NET SslStream: How to extract session key?

Question

I'm writing a desktop application and wish to give users ability to verify network traffic, so they know they are not being abused. My application establishes a TLS connection to servers using .NET's SslStream with the AuthenticateAsClient method. Wireshark users can decode TLS traffic using NSS key logs. I can see that both Firefox and Chrome have options to logging encryption keys. How can I do the same in my .NET application? i.e. How can I extract the session key from SslStream, programatically?

Answer 1

As of this writing, there is no way of doing that with dotnet's SslStream. Here's how to export the session keys using BouncyCastle:

internal static class BouncyCastleTls
{
    public static Stream WrapWithTls(Stream stream)
    {
        var client = new MyTlsClient();
        var tlsClientProtocol = new TlsClientProtocol(stream, new SecureRandom());
        tlsClientProtocol.Connect(client);
        return tlsClientProtocol.Stream;
    }
}

internal sealed class MyTlsClient : DefaultTlsClient
{
    public override TlsAuthentication GetAuthentication()
    {
        return new MyTlsAuthentication();
    }

    public override void NotifyHandshakeComplete()
    {
        var clientRandom = mContext.SecurityParameters.ClientRandom;
        var masterSecret = mContext.SecurityParameters.MasterSecret;

        Console.WriteLine("CLIENT_RANDOM {0} {1}", ToHex(clientRandom), ToHex(masterSecret));
    }

    private static string ToHex(byte[] bytes)
    {
        var sb = new StringBuilder(bytes.Length * 2);
        for (var i = 0; i < bytes.Length; ++i)
            sb.Append($"{bytes[i]:x2}");
        return sb.ToString();
    }

}

internal sealed class MyTlsAuthentication : TlsAuthentication
{
    public void NotifyServerCertificate(Certificate serverCertificate)
    {
    }

    public TlsCredentials GetClientCredentials(CertificateRequest certificateRequest)
    {
        return null;
    }
}