This applies to your own web session; it won’t work if you don’t control the browser. Otherwise you need a man-in-the-middle proxy. The procedures devoted to creating a secure key log file work on Linux and might work on BSD or Mac OS X.
Sometimes you need to look at the plaintext of your own TLS (formerly SSL) sessions. I was thinking of hacking the SSL library to get the keys out, but it turns out that has already been done, and is installed in the stock NSS library since version 3.14. Other programs using the NSS library will also use SSLKEYLOGFILE
. You could also use firefox extensions such as Live HTTP headers or maybe scriptish/greasemonkey to grab the data before it gets encrypted.
Anyway, here is how you make wireshark
decrypt an SSL session and save all of the files which were returned. These procedures ensure that the secret key files will be gone once you close the shell terminal window, wireshark
, and firefox
.
• Create a secure temporary file, open it in bash
for reading and writing as file descriptor 3, and delete it. From bash reference manual, exec builtin: “If no command is specified, redirections may be used to affect the current shell environment.”
$ f=$(mktemp); ls -l $f; exec 3<>$f; rm $f; ls $f; lsof -d3 -a -p$$
-rw-------. 1 edward edward 0 Sep 30 13:09 /tmp/tmp.VQw5BPHFlc
ls: cannot access /tmp/tmp.VQw5BPHFlc: No such file or directory
COMMAND … FD … NAME
bash … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
• Quit from firefox
(that is absolutely essential), and restart it as a child of this bash
, with SSLKEYLOGFILE
environment variable set to access file descriptor 3. For convenience, set ffpid
to the process ID of firefox
. (The &>/dev/null
redirection of stdout
and stderr
is necessary since the $(…)
command substitution would otherwise wait for firefox to exit. “There are two formats for redirecting standard output and standard error: &>
word
, and >&
word
. Of the two forms, the first is preferred. This is semantically equivalent to >
word
2>&1
.”)
$ ffpid=$( SSLKEYLOGFILE=/dev/fd/3 firefox &>/dev/null & echo $! )
• Start wireshark
with file descriptor 3 inherited from bash and with
umask
set to create user only accessible files, because you plan to save confidential files.
$ wspid=$( umask 077; wireshark &>/dev/null & echo $! )
• Observe that both processes have inherited fd 3:
$ lsof -d3 -a -p$ffpid -p$wspid -p$$
COMMAND … FD … NAME
bash … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
firefox … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
wireshark … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
• Next tell wireshark
to look for keys by opening and reading /dev/fd/3
:
Edit -> Preferences -> Protocol -> SSL
Set the Pre Master Secret log filename field to /dev/fd/3
• wireshark
will open, read, and close /dev/fd/3
whenever it needs to learn a key.
$ strace -p $wspid -e open,read,close
open("/dev/fd/3", O_RDONLY) = 14
read(14, "# SSL/TLS secrets log file, gene"..., 4096) = 4096
read(14, "d570ba9a80f1cf21339b84f7a0292a32"..., 4096) = 4096
read(14, "f877f2b17761c2bc39e852c2abb0a896"..., 4096) = 4096
read(14, "2ec71ec4c692ae0fe0344562376230\nC"..., 4096) = 3317
close(14) = 0
• Start a wireshark capture, filtering for HTTPS traffic only:
Capture options -> Capture filter -> tcp port https
Then access the web page and view images, etc. that you want to save. To save the images in wireshark:
File -> Export Objects -> HTTP
and wait until the list of objects is filled. Then you can save some or all HTTP objects to disk.
Sources:
https://developer.mozilla.org/en-US/docs/NSS_Key_Log_Format
http://ask.wireshark.org/questions/13855/tool-for-saving-files-html-php-etc-from-capture
http://www.reddit.com/r/netsec/comments/1kuevc/extracting_encryption_keys_from_firefox_and_using