Server-side SSLKEYLOG generation for further analysis in Wireshark
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples initial commit Nov 17, 2018
scripts rm unused Nov 21, 2018
src cosmetic Nov 17, 2018
test initial commit Nov 17, 2018
.gitignore fix build/ Nov 23, 2018
.travis.yml add npm publish Nov 23, 2018
CHANGELOG.md add changelog Nov 23, 2018
LICENSE Initial commit Nov 17, 2018
README.md make npm smaller - use jsdelivr cdn for images Nov 23, 2018
binding.gyp initial commit Nov 17, 2018
index.js fix filename Nov 17, 2018
package.json make npm smaller - use file whitelist Nov 23, 2018
wireshark.png initial commit Nov 17, 2018

README.md

node-sslkeylog

Build Status

NPM

sslkeylog is a Node.js module for generating server-side SSLKEYLOG, which can be used later by Wireshark to decrypt SSL connections. This method works with any TLS cipher suite including elliptic curves crypto.

Further reading about SSLKEYLOG:

Installation

Node.js v10+ is required. Tested on v10 (LTS) and v11 (CURRENT), OS X and Linux.

To use in your project, install as usual:

$ npm install sslkeylog

...or add to package.json and use npm/yarn to do the work.

For dev environment, clone the repository first:

$ git clone https://github.com/kolontsov/node-sslkeylog
$ cd node-sslkeylog
$ npm install
...
$ cd examples

Usage

When you have connected TLSSocket, you may call get_sesion_key() to get session key for this connection:

let server = https.createServer({key, cert});
server.on('secureConnection', tls_socket=>{
    const {client_random, master_key} = sslkeylog.get_session_key(tls_socket);
    const hex1 = client_random.toString('hex');
    const hex2 = master_key.toString('hex');
    fs.appendFileSync('/tmp/sslkeylog.txt', `CLIENT_RANDOM ${hex1} ${hex2}\n`);
};

Or just use set_log() and update_log() to do exactly the same:

sslkeylog.set_log('sslkeylog.txt');
server = https.createServer({key, cert});
server.on('secureConnection', sslkeylog.update_log);

Demo

Clone the repository, build with npm install and go to examples/ subdir. Open few terminal tabs or tmux/screen windows.

  1. 1st terminal: make server (starts https server on port 8000)
  2. 2nd terminal: make capture (starts tcpdump on loopback-interface, port 8000)
  3. 3rd terminal: make req (curl https://localhost:8000)
  4. Stop https server and tcpdump.

Now you have sslkeylog.txt (written by https server) and test.pcap (written by tcpdump).

Open test.pcap in Wireshark, right-click on any TLS packet, choose Protocol Preferences → Open Secure Sockets Layer Preferences → (Pre)-Master-Secret log filename and fill full path to to sslkeylog.txt

Now you can see decrypted packets:

wireshark screenshot

TODO

  • windows support?

Bugs

Not tested on production, use at your own risk. Issues/PRs are welcome.

License

MIT