Topic: Creating a NSS Key Log File

Hi,

I am using WolfSSL and I want to create a key log file like specified here: https://developer.mozilla.org/en-US/doc … Log_Format. On OpenSSL this is fairly easy, as I can use SSL_CTX_set_keylog_callback to set a callback function, which receives all keys that are being created. Is there a similar easy way to archieve this in WolfSSL?

Best regards
he1n

Share

Re: Creating a NSS Key Log File

Hi he1n,

Yes. See `WOLFSSL_SSLKEYLOGFILE` define to output master secret used by Wireshark logging to file. Defaults to sslkeylog.log, but can be overridden using `WOLFSSL_SSLKEYLOGFILE_OUTPUT`.

1. Build wolfSSL using:
./configure CFLAGS="-DSHOW_SECRETS -DWOLFSSL_SSLKEYLOGFILE"

2. By default it outputs to a file named "sslkeylog.log" using this Wireshark Pre-Master-Secret Format:
CLIENT_RANDOM <clientrandom> <mastersecret>

3. You can tell Wireshark where to find the key file via Edit→Preferences→Protocols→SSL→(Pre)-Master-Secret log filename.

Key logging feature was added in PR 1873 (https://github.com/wolfSSL/wolfssl/pull/1873)
Commit: https://github.com/wolfSSL/wolfssl/pull … dd532b587b

You will get a compiler warning for this feature because it should never be used in production. Here is the PR with those details:
https://github.com/wolfSSL/wolfssl/pull/2053

The #warning can be ignored as error using ./configure CFLAGS="-W#warnings".

Thanks,
David Garske, wolfSSL

Share

Re: Creating a NSS Key Log File

@dgarske
Does that support TLS 1.3 though ? I have enabled the flags and also use WOLFSSL_STATIC_EPHEMERAL in order to capture my TLS 1.3 packets with the sniffer etc.
If no, how can I decrypt the traffic exchanged from a local server-client ( from the examples ) and watch it on wireshark or any similar traffic analyzer ?

Thank you

Share

Re: Creating a NSS Key Log File

Hi cxenof03,

That is correct. For TLS v1.3 you can use HAVE_SECRET_CALLBACK and wolfSSL_set_tls13_secret_cb to setup a callback for printing the secrets for use with Wireshark.

The WOLFSSL_STATIC_EPHEMERAL feature does allow you to use a fixed ephemeral key for testing, which can be loaded into Wireshark. The WOLFSSL_STATIC_EPHEMERAL is meant to be used with the WOLFSSL sniffer (--enable-sniffer) and sslSniffer/sslSnifferTest, which allows decryption of the TLS traffic.

If you'd like some additional documentation on this please email us directly using support@wolfssl.com.

Thanks,
David Garske, wolfSSL

Share

Re: Creating a NSS Key Log File

Hi All,

I have posted an example for using our TLS v1.3 secret logging here:
https://github.com/wolfSSL/wolfssl-examples/pull/251

Thanks,
David Garske, wolfSSL

Share