1

I am trying to decrypt TLSv1.3 packets using Wireshark. I have succeeded in doing so using this tutorial: https://blog.didierstevens.com/2020/12/28/decrypting-tls-streams-with-wireshark-part-2/

This tutorial is based on executing set SSLKEYLOGFILE="..." and using the logged file to help Wireshark decode the TLS packets. (See screenshot below)

Wireshark TLS preferences

This works when using a browser to visit a webapp and capturing its packets, however, I want to apply this technique to a native MacOS app I downloaded from the app store.

I can see the packets coming from the app in Wireshark, but I haven't figured out how to get the SSL session keys.

So the question becomes: How do I get the SSL session keys (analogous to the ones in the SSLKEYLOGFILE file) from a native MacOS app?

Any help is greatly appreciated.

Improve this question
6
  • Unless the application explicitly supports this (like the programs that support SSLKEYLOGFILE), it would need advanced techniques (attach a debugger and/or hooking library calls) to get this information. There can be no one-size-fits-all solution.
    – Daniel B
    Commented Sep 11, 2022 at 15:36
  • @DanielB Are you suggesting some sort of mitm thing that can store the session ssl? Do you know if there is any other way to decrypt the tls packets from the app?
    – tomvis1984
    Commented Sep 11, 2022 at 15:45
  • @DanielB I guess my question is, since the ssl session keys are somehow communicated via packets and a browser like firefox can store them, can I use Wireshark to look at the ssl session key packets and store them manually? Are these inside of the handshakes?
    – tomvis1984
    Commented Sep 11, 2022 at 16:36
  • 1
    If that were possible, TLS would be quite pointless. ;-) Encryption has long since graduated from weak handshakes. You need to instrument the inner workings of either client or server. No way around that.
    – Daniel B
    Commented Sep 11, 2022 at 17:15
  • @DanielB okay thanks for the help :)
    – tomvis1984
    Commented Sep 12, 2022 at 7:28

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .