MacOS Big Sur and SSLKEYFILELOG

Today I had to decrypt SSL/TLS traffic from my browser. There are a lot of resource available to explain the steps necessary to capture traffic and decrypt the traffic, like How to Decrypt SSL with Wireshark – HTTPS Decryption Guide.

However, I noticed that my ssl-keys.log file wasn’t populated when starting Chrome of Firefox. The file is populated when I use curl to access a website. In the end, I found one solution to get the file populated. I used the following steps.

  1. Ensure Chrome and Firefox are closed.
  2. Launch the OS X Terminal
  3. Set the SSLKEYLOGFILE variable directly by using the following command:
    • export SSLKEYLOGFILE=”/Users/rjn/sslkeys/.ssl-keys.log”
  4. Start WireShark or tcpdump to start capturing your packets
  5. Start Firefox or Chrome directly from the same terminal screen using the command:
    • open /Application/<browser>
    • You MUST start the browser from the same command terminal, because the session variable is set only for this terminal session
  6. Access your browser and start browsing some HTTPS websites. The SSL session keys should be logged now and should be available to be used within WireShark.
The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.