Login/Register
SSLKEYLOGFILE environment variable doesn't populate any text file
Asked Answered
google-chromesslfirefoxwindows-10wireshark
T

5

21

My operating system is Windows 10 64 bits. I use the latest versions of Firefox and Chrome.

I want to save the pre-master keys in order to use them with WireShark.

For this, I have found many tutorials that all recommend using the SSLKEYLOGFILE environment variable.

However, no matter the path I put in this variable, no file is being created by Firefox (normal and developer editions) or Chrome. This is true even when I restart those browsers or the operating system. This is also true when I clear the cache on the browsers.

I found an alternative way of setting the SSLKEYLOGFILE variable with Chrome by launching the browser with the following argument:

--ssl-key-log-file=PATH

And while this argument does create a log file, it is never populated. It remains completely empty.

What makes this problem even more annoying is that I don't know if there's any debug log that would at least let me know what's happening.

Anyone have ideas on how to solve this issue?

Turnover answered 14/8, 2019 at 16:7 Comment(0)
C
14

Verified in both Chrome and Firefox
Windows 10 64bit [Version 10.0.17763.379]

I would not use the --ssl-key-log-file flag with Chrome. In my testing, it does not have an effect.

Steps to get SSL keylog file

  1. Change your directory to one that you or your programs have access to. I am using the Desktop folder.

    C:\> cd $HOME\Desktop

  2. Set the SSLKEYLOGFILE variable. This sets it for the user (HKCU). To set it for the machine (HKLM), add the /m flag to the end of the command.

    PS C:\Users\rj\Desktop> SetX SSLKEYLOGFILE "$(get-location)\ssl.log"

  3. Verify that the variable has been set in a separate powershell window (SetX does not apply to the current window). 

    PS C:\Users\rj\Desktop> Get-ChildItem ENV: | findstr SSLKEYLOGFILE
SSLKEYLOGFILE                  C:\Users\rj\Desktop\ssl.log

    You can also verify that SSLKEYLOGFILE is a user variable by going to the Control Panel > System and Security > System > Advanced System Settings > Advanced tab > Environment Variables > User Variables. You should see a listing like the powershell example where the value is a directory.

  4. Open Chrome/Firefox and go to an https website like https://stackoverflow.com.

  5. You should see an ssl.log show up on your desktop.

Image of end result

Further Reading

You mentioned that you are using Wireshark. If you using it to export a file from a TLS-encrypted stream in a capture, this article may help you.

Cohla answered 17/8, 2019 at 3:15 Comment(11)
Sadly, no file is being created at all, whether I use Firefox or Chrome. :( I used echo %SSLKEYLOGFILE% to make sure the variable was correctly registered (your code in step 3 didn't seem to work).Turnover
1. Please be more specific when you say "step 3 didn't work". Was there no output? Was there an error? 2. The point of step 3 is to verify that SSLKEYLOGFILE is now a user variable. I've edited it so you can check the same in the GUI.Cohla
Sorry. I meant the "Get-ChildItem" command wasn't being recognized by CMD, but I realized you wanted me to use PowerShell. Step 3 works fine on PowerShell, and much like with the echo %SSLKEYLOGFILE% command, I can see that the correct path has been set for SSLKEYLOGFILE (C:\Users\Allain\Desktop\ssl.log). Yet, no log file is created with Firefox or Chrome.Turnover
Have you tested whether this problem is device-specific? Can you replicate this on other Windows machines?Cohla
I had to give all access to everyone by right clicking via properties and security, then it worked.Melancholic
@PascalBergeron So the answer using SSLKEYLOGFILE still does not work? So this answer is better be removed?Freeness
@Freeness I've just verified that this works on my windows 10 machine. Have you verified that it doesn't work on more than one machine?Cohla
@RossJacobs It seems that at one time this option was removed from Chromium. They later added it back.Freeness
@Freeness If you have more information about the removal/readdition of this feature, it would definitely improve the answer.Cohla
Step 4 it's better to say: restart chrome, or close all chrome sessions and reopen it.Bouffard
I was on RDP session and needed to sign out from Windows server and in again to make it work.Fiske
B
5

One thing I ran into is: Chrome doesn't always fully close when you close the window. Sometimes it stays open in the background. Use the Windows Process Explorer to list all the processes and make cure Chrome is closed. Also, after restarting Chrome, you can double click on it in Process Explorer and select the Environment tab to list all the variables set in it's environment. Make sure SSLKEYLOGFILE is shown in that list. Then Chrome will be sending keys to the specified file.

Bismarck answered 13/8, 2021 at 17:10 Comment(0)
S
1

First off all the problem is that the browsers are protected better and that flaw is patched, thats why you cant capture no ssl. I dont know the details. But chrome with --no-sandbox(linux) option on ,when running will enable you to capture ssl/tls key without any issues from the first try, so you can play with decription of packets. Never tried on windows btw..

Sharanshard answered 8/12, 2021 at 19:25 Comment(0)
A
1

This worked for me...

set the SSKEYLOG env: variable as normal in Linux. just point it to your pefererd save location of the sslkey.log

windows system/advance/env vars/user variables. add SSLKEYLOGfile with the path to your preferred save location C:/user/sslkey.log close and your done here.

NSS_ALLOW_SSLKEYLOG=1 is what's missing from the Booleans in Firefox's advanced options. its been also removed from the general release but is still in the dev ops version. just not listed.

download and install the dev ops version of Firefox open a terminal start it from its exe if on Linux. windows just open it from the icon.

go to the about:config create a new Boolean with NSS_ALLOW_SSLKEYLOG=1 and set it to true. quit now create a new symbolic/icon link to the new dev version fire fox version

when you run Firefox from the terminal in Linux the sskeylog should be created and start populating.

run it from the task bar icon in Linux and it doesn't make or update the keylog (just in case you dont want it populating every time you open the browser).

in windows, you will have to disable the env var or it will keep populating every time you open any browser that supports sslkey logging.

on that note opera and vivaldi should work with no changes to the advanced option.

lastly.. open wireshark go to edit/preferences/protocols/tls and put the path to the sslkey.log in the pre master secret log box. click ok.

close everything.. start Wireshark start your browser (from terminal in linux). you should start seeing sslkeylog start populating and see extra options for decryption in the tabs of Wireshark.

have fun :)

An answered 30/4, 2022 at 16:0 Comment(0)
M
0

You just need to close all the browsers tabs before creating the new user variable.

Merras answered 14/4 at 3:25 Comment(1)
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Unwonted

© 2022 - 2024 — McMap. All rights reserved.