-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSLKEYLOGFILE is not containing TLSv1.3 secrets #3994
Comments
Thanks! We're currently waiting for upstream to expose the new OpenSSL hooks. For now the workaround is to disable 1.3 for key logging, eventually we'll support it properly. :) refs pyca/cryptography#5187 |
I'm sorry for disturbing, could you please advise when you plan to fix it? |
pyca/pyopenssl#910 has been merged just now, so that should not take that long…™ |
Looking forward to it 🤞 |
I'm not here to rush you (we are 1 week later now), just do you have any estimate for this fix? |
No estimate. I don't think I will look into that before the next pyOpenSSL release with my changes ships. I'd be more than happy to merge a PR that implements it directly on top of cryptography (the pyOpenSSL wrapper is minimal) if somebody wants to give it a stab. |
So 'cryptography' has had the required change since version 3.0, but we're waiting for either:
|
Use OpenSSL's keylog callback for SSLKEYLOGFILE (#3994)
Quick update: support for logging TLS 1.3 master secrets has landed on master and will be part of the next release. If you don't want to wait, you can use the snapshots from https://mitmproxy.org/downloads/#branches/master/. :) |
When using mitmproxy with the SSLKEYLOGFILE environment variable TLSv1.3 keys are not exported or correctly labeled.
I want to analyze and decrypt TLSv1.3 traffic of an application with mitmproxy and Wireshark.
I configured a gateway running mitmproxy in transparent mode and inside mitmproxy the traffic gets decrypted but Wireshark can not decrypt the captured data using the keylogfile provided by mitmproxy.
After some research I found this presentation regarding the decryption of TLSv1.3 traffic with Wireshark. On Slide 9 there is a keylogfile example for decrypting TLSv1.3.
In the keylogfile provided by mitmproxy I can't find any lines starting with CLIENT_HANDSHAKE_TRAFFIC_SECRET, CLIENT_TRAFFIC_SECRET_0 nor EXPORTER_SECRET but only ones starting with CLIENT_RANDOM.
Steps to reproduce the behavior:
System Information
Mitmproxy: 5.1.1 binary
Python: 3.7.6
OpenSSL: OpenSSL 1.1.1f 31 Mar 2020
Platform: Linux-5.5.0-kali2-amd64-x86_64-with-debian-kali-rolling
The text was updated successfully, but these errors were encountered: