0

I am trying to decrypt TLSv1.3 packets using Wireshark. I have succeeded in doing so using this tutorial: https://blog.didierstevens.com/2020/12/28/decrypting-tls-streams-with-wireshark-part-2/

This tutorial is based on executing set SSLKEYLOGFILE="..." and using the logged file to help Wireshark decode the TLS packets. (See screenshot below)

Wireshark TLS preferences

This works when using a browser to visit a webapp and capturing its packets, however, I want to apply this technique to a native MacOS app I downloaded from the app store.

I can see the packets coming from the app in Wireshark, but I haven't figured out how to get the SSL session keys.

So the question becomes: How do I get the SSL session keys (analogous to the ones in the SSLKEYLOGFILE file) from a native MacOS app?

Any help is greatly appreciated.

tomvis1984
  • 1
  • Unless the application explicitly supports this (like the programs that support `SSLKEYLOGFILE`), it would need advanced techniques (attach a debugger and/or hooking library calls) to get this information. There can be no one-size-fits-all solution. – Daniel B Sep 11 '22 at 15:36
  • @DanielB Are you suggesting some sort of mitm thing that can store the session ssl? Do you know if there is any other way to decrypt the tls packets from the app? – tomvis1984 Sep 11 '22 at 15:45
  • @DanielB I guess my question is, since the ssl session keys are somehow communicated via packets and a browser like firefox can store them, can I use Wireshark to look at the ssl session key packets and store them manually? Are these inside of the handshakes? – tomvis1984 Sep 11 '22 at 16:36
  • 1
    If that were possible, TLS would be quite pointless. ;-) Encryption has long since graduated from weak handshakes. You need to instrument the inner workings of either client or server. No way around that. – Daniel B Sep 11 '22 at 17:15
  • @DanielB okay thanks for the help :) – tomvis1984 Sep 12 '22 at 07:28
  • Answer from @netresec at [https://superuser.com/a/1551957/603912] to a similar question provides some TLS proxy (a.k.a MITM) based solutions, which might be helpful. – Yingyu YOU Jul 07 '23 at 01:07

0 Answers0