You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL → Creating a NSS Key Log File
Hi,
I am using WolfSSL and I want to create a key log file like specified here: https://developer.mozilla.org/en-US/doc … Log_Format. On OpenSSL this is fairly easy, as I can use SSL_CTX_set_keylog_callback to set a callback function, which receives all keys that are being created. Is there a similar easy way to archieve this in WolfSSL?
Best regards
he1n
Hi he1n,
Yes. See `WOLFSSL_SSLKEYLOGFILE` define to output master secret used by Wireshark logging to file. Defaults to sslkeylog.log, but can be overridden using `WOLFSSL_SSLKEYLOGFILE_OUTPUT`.
1. Build wolfSSL using:
./configure CFLAGS="-DSHOW_SECRETS -DWOLFSSL_SSLKEYLOGFILE"
2. By default it outputs to a file named "sslkeylog.log" using this Wireshark Pre-Master-Secret Format:
CLIENT_RANDOM <clientrandom> <mastersecret>
3. You can tell Wireshark where to find the key file via Edit→Preferences→Protocols→SSL→(Pre)-Master-Secret log filename.
Key logging feature was added in PR 1873 (https://github.com/wolfSSL/wolfssl/pull/1873)
Commit: https://github.com/wolfSSL/wolfssl/pull … dd532b587b
You will get a compiler warning for this feature because it should never be used in production. Here is the PR with those details:
https://github.com/wolfSSL/wolfssl/pull/2053
The #warning can be ignored as error using ./configure CFLAGS="-W#warnings".
Thanks,
David Garske, wolfSSL
@dgarske
Does that support TLS 1.3 though ? I have enabled the flags and also use WOLFSSL_STATIC_EPHEMERAL in order to capture my TLS 1.3 packets with the sniffer etc.
If no, how can I decrypt the traffic exchanged from a local server-client ( from the examples ) and watch it on wireshark or any similar traffic analyzer ?
Thank you
Hi cxenof03,
That is correct. For TLS v1.3 you can use HAVE_SECRET_CALLBACK and wolfSSL_set_tls13_secret_cb to setup a callback for printing the secrets for use with Wireshark.
The WOLFSSL_STATIC_EPHEMERAL feature does allow you to use a fixed ephemeral key for testing, which can be loaded into Wireshark. The WOLFSSL_STATIC_EPHEMERAL is meant to be used with the WOLFSSL sniffer (--enable-sniffer) and sslSniffer/sslSnifferTest, which allows decryption of the TLS traffic.
If you'd like some additional documentation on this please email us directly using support@wolfssl.com.
Thanks,
David Garske, wolfSSL
Hi All,
I have posted an example for using our TLS v1.3 secret logging here:
https://github.com/wolfSSL/wolfssl-examples/pull/251
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → wolfSSL → Creating a NSS Key Log File
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.017 seconds (88% PHP - 12% DB) with 11 queries