Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLKEYLOGFILE is not containing TLSv1.3 secrets #3994

Closed
br-olf opened this issue May 11, 2020 · 8 comments · Fixed by #4298
Closed

SSLKEYLOGFILE is not containing TLSv1.3 secrets #3994

br-olf opened this issue May 11, 2020 · 8 comments · Fixed by #4298
Labels
area/protocols kind/bug

Comments

@br-olf
Copy link

br-olf commented May 11, 2020

When using mitmproxy with the SSLKEYLOGFILE environment variable TLSv1.3 keys are not exported or correctly labeled.

I want to analyze and decrypt TLSv1.3 traffic of an application with mitmproxy and Wireshark.
I configured a gateway running mitmproxy in transparent mode and inside mitmproxy the traffic gets decrypted but Wireshark can not decrypt the captured data using the keylogfile provided by mitmproxy.
After some research I found this presentation regarding the decryption of TLSv1.3 traffic with Wireshark. On Slide 9 there is a keylogfile example for decrypting TLSv1.3.
In the keylogfile provided by mitmproxy I can't find any lines starting with CLIENT_HANDSHAKE_TRAFFIC_SECRET, CLIENT_TRAFFIC_SECRET_0 nor EXPORTER_SECRET but only ones starting with CLIENT_RANDOM.

Steps to reproduce the behavior:

  1. Export the SSLKEYLOGFILE environment variable
  2. Setup mitmproxy in transparent monde
  3. Open a website using TLSv1.3
  4. Check the keylogfile

System Information

Mitmproxy: 5.1.1 binary
Python: 3.7.6
OpenSSL: OpenSSL 1.1.1f 31 Mar 2020
Platform: Linux-5.5.0-kali2-amd64-x86_64-with-debian-kali-rolling
@br-olf br-olf added the kind/triage Unclassified issues label May 11, 2020
@mhils
Copy link
Member

mhils commented May 11, 2020

Thanks! We're currently waiting for upstream to expose the new OpenSSL hooks. For now the workaround is to disable 1.3 for key logging, eventually we'll support it properly. :)

refs pyca/cryptography#5187
refs pyca/pyopenssl#910

@mhils mhils added area/protocols kind/bug and removed kind/triage Unclassified issues labels May 11, 2020
@rugk rugk mentioned this issue Jul 28, 2020
Merged
@iamtomkeen
Copy link

I'm sorry for disturbing, could you please advise when you plan to fix it?

@rugk
Copy link
Contributor

rugk commented Jul 28, 2020

pyca/pyopenssl#910 has been merged just now, so that should not take that long…™

@iamtomkeen
Copy link

Looking forward to it 🤞

@rugk rugk mentioned this issue Jul 28, 2020
Closed
@iamtomkeen
Copy link

I'm not here to rush you (we are 1 week later now), just do you have any estimate for this fix?

@mhils
Copy link
Member

mhils commented Aug 4, 2020

No estimate. I don't think I will look into that before the next pyOpenSSL release with my changes ships.

I'd be more than happy to merge a PR that implements it directly on top of cryptography (the pyOpenSSL wrapper is minimal) if somebody wants to give it a stab.

@raboof
Copy link

raboof commented Sep 10, 2020

So 'cryptography' has had the required change since version 3.0, but we're waiting for either:

  • a post-19.1.0 release of pyOpenSSL
  • someone to step up and build the feature directly on top of cryptography, side-stepping the missing pyOpenSSL release

mhils added a commit to mhils/mitmproxy that referenced this issue Nov 19, 2020
@mhils
use OpenSSL's keylog callback for SSLKEYLOGFILE, refs mitmproxy#3994
b415d04
@mhils mhils mentioned this issue Nov 19, 2020
Merged
mhils added a commit that referenced this issue Nov 19, 2020
@mhils
use OpenSSL's keylog callback for SSLKEYLOGFILE, refs #3994
45b8f25
mhils added a commit that referenced this issue Nov 21, 2020
@mhils
use OpenSSL's keylog callback for SSLKEYLOGFILE, refs #3994
bced91e
mhils added a commit that referenced this issue Nov 24, 2020
@mhils
use OpenSSL's keylog callback for SSLKEYLOGFILE, refs #3994
0b25da4
@mhils mhils mentioned this issue Nov 26, 2020
Closed
mhils added a commit to mhils/mitmproxy that referenced this issue Nov 27, 2020
@mhils
use OpenSSL's keylog callback for SSLKEYLOGFILE, refs mitmproxy#3994
dd4c36a
mhils added a commit to mhils/mitmproxy that referenced this issue Nov 27, 2020
@mhils
use OpenSSL's keylog callback for SSLKEYLOGFILE, refs mitmproxy#3994
4b8fcc8
mhils added a commit that referenced this issue Nov 27, 2020
@mhils
Merge pull request #4298 from mhils/keylog
de485ba 
Use OpenSSL's keylog callback for SSLKEYLOGFILE (#3994)
@mhils
Copy link
Member

mhils commented Nov 28, 2020

Quick update: support for logging TLS 1.3 master secrets has landed on master and will be part of the next release. If you don't want to wait, you can use the snapshots from https://mitmproxy.org/downloads/#branches/master/. :)

fservida added a commit to fservida/pi-pineapple that referenced this issue Mar 16, 2021
@fservida
Set only TLSv1_2 as supported to allow for SSLKeyLogFile (cf. mitmpro…
5cebcd7 
…xy/mitmproxy#3994)
@jrudolph jrudolph mentioned this issue Oct 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/protocols kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use OpenSSL's keylog callback for SSLKEYLOGFILE (#3994) mhils/mitmproxy
5 participants
@raboof @mhils @br-olf @rugk @iamtomkeen