4

I'd like to open a browser in Windows, go to an HTTPS site, and perform a sequence of actions while capturing packets with Wireshark. Then I want to use the encrypted packet capture to view the decrypted HTTP traffic. I know of many ways to do this (listed below) if you forego the browser, have access to the server, or add a MITM, but none of these work when you're restricted to the scenario above. Here are my typical approaches:

Server: For sites where I have the server private key, use Wireshark's built-in SSL decryption.

MITM: An SSL proxy (e.g., Burp suite) will allow viewing of decrypted traffic, but this requires using a different certificate and key pair than what is used by the server.

Browser: openssl's s_client can connect, make requests, and export the master secret, but this does not display the associated web pages or run javascript to compute subsequent request parameters.

Is there a way to export the master secret from a "normal" browser so that I can use it to later decrypt a packet capture of the browser session?

For example, is SSL/TLS state stored on disk when a browser is closed? If so, how would I access it? Is it accessible in memory while the browser is running (and if so how would I find it)?

Or, is all SSL state data stored by the OS (Windows) and not accessible directly?

Alternatively, is there a way to force a browser to use a particular master secret (and any other associated SSL state data like session ID, etc.) for a particular HTTPS connection? If so, I could set up the SSL session using s_client, and then transfer the key data to the browser and open a new connection in the same session. This would accomplish the same goal through different means.

4

1 回答 1

9

对于使用 NSS 库的浏览器(例如 Firefox),您可以设置SSLKEYLOGFILE 环境变量,这将导致 NSS 保存必要的机密。然后,您可以直接将该文件与 Wireshark 一起使用。在这里可以找到更多信息。

于 2013-03-27T16:08:37.497 回答