Today I had to decrypt SSL/TLS traffic from my browser. There are a lot of resource available to explain the steps necessary to capture traffic and decrypt the traffic, like How to Decrypt SSL with Wireshark – HTTPS Decryption Guide.
However, I noticed that my ssl-keys.log file wasn’t populated when starting Chrome of Firefox. The file is populated when I use curl to access a website. In the end, I found one solution to get the file populated. I used the following steps.
- Ensure Chrome and Firefox are closed.
- Launch the OS X Terminal
- Set the SSLKEYLOGFILE variable directly by using the following command:
- export SSLKEYLOGFILE=”/Users/rjn/sslkeys/.ssl-keys.log”
- Start WireShark or tcpdump to start capturing your packets
- Start Firefox or Chrome directly from the same terminal screen using the command:
- open /Application/<browser>
- You MUST start the browser from the same command terminal, because the session variable is set only for this terminal session
- Access your browser and start browsing some HTTPS websites. The SSL session keys should be logged now and should be available to be used within WireShark.