sslkeylog is a Node.js module for generating server-side SSLKEYLOG, which can be used later by Wireshark to decrypt SSL connections. This method works with any TLS cipher suite including elliptic curves crypto.
Further reading about SSLKEYLOG:
- SSL/TLS Decryption: uncovering secrets (PDF, SharkFest'17)
- Decrypting TLS browser traffic with Wireshark: the easy way
Node.js v10+ is required. Tested on v10 (LTS) and v11 (CURRENT), OS X and Linux.
To use in your project, install as usual:
$ npm install sslkeylog
...or add to
package.json and use npm/yarn to do the work.
For dev environment, clone the repository first:
$ git clone https://github.com/kolontsov/node-sslkeylog$ cd node-sslkeylog$ npm install...$ cd examples
When you have connected
TLSSocket, you may call
get_sesion_key() to get session key for this connection:
let server = https;server
Or just use
update_log() to do exactly the same:
sslkeylog;server = https;server;
Clone the repository, build with
npm install and go to
examples/ subdir. Open few terminal tabs or tmux/screen windows.
- 1st terminal:
make server(starts https server on port 8000)
- 2nd terminal:
make capture(starts tcpdump on loopback-interface, port 8000)
- 3rd terminal:
make req(curl https://localhost:8000)
- Stop https server and tcpdump.
Now you have
sslkeylog.txt (written by https server) and
test.pcap (written by tcpdump).
test.pcap in Wireshark, right-click on any TLS packet, choose Protocol Preferences → Open Secure Sockets Layer Preferences → (Pre)-Master-Secret log filename and fill full path to to
Now you can see decrypted packets:
- windows support?
Not tested on production, use at your own risk. Issues/PRs are welcome.