My operating system is Windows 10 64 bits. I use the latest versions of Firefox and Chrome.
I want to save the pre-master keys in order to use them with WireShark.
For this, I have found many tutorials that all recommend using the SSLKEYLOGFILE environment variable.
However, no matter the path I put in this variable, no file is being created by Firefox (normal and developer editions) or Chrome. This is true even when I restart those browsers or the operating system. This is also true when I clear the cache on the browsers.
I found an alternative way of setting the SSLKEYLOGFILE variable with Chrome by launching the browser with the following argument:
--ssl-key-log-file=PATH
And while this argument does create a log file, it is never populated. It remains completely empty.
What makes this problem even more annoying is that I don't know if there's any debug log that would at least let me know what's happening.
Anyone have ideas on how to solve this issue?
Verified in both Chrome and Firefox
Windows 10 64bit [Version 10.0.17763.379]
I would not use the --ssl-key-log-file flag with Chrome. In my testing, it does not have an effect.
Steps to get SSL keylog file
Change your directory to one that you or your programs have access to. I am using the Desktop folder.
C:\> cd $HOME\Desktop
Set the SSLKEYLOGFILE variable. This sets it for the user (HKCU). To set it for the machine (HKLM), add the /m flag to the end of the command.
PS C:\Users\rj\Desktop> SetX SSLKEYLOGFILE "$(get-location)\ssl.log"
Verify that the variable has been set in a separate powershell window (SetX does not apply to the current window).
PS C:\Users\rj\Desktop> Get-ChildItem ENV: | findstr SSLKEYLOGFILE
SSLKEYLOGFILE C:\Users\rj\Desktop\ssl.log
You can also verify that SSLKEYLOGFILE is a user variable by going to the Control Panel > System and Security > System > Advanced System Settings > Advanced tab > Environment Variables > User Variables. You should see a listing like the powershell example where the value is a directory.
Open Chrome/Firefox and go to an https website like https://stackoverflow.com.
You should see an ssl.log show up on your desktop.
Image of end result
Further Reading
2018-12-07, F5, Decrypting SSL traffic: Great article on doing the above, but cross-platform
2019-03-18, Mozilla, NSS Key Log Format
: The SSLKEYLOGFILE format
2018-08-17, Wireshark Bugzilla, Add TLS 1.3 support: Has good test pcap/SSLKEYLOGFILE contents for TLS1.3 (See Comment 83)
You mentioned that you are using Wireshark. If you using it to export a file from a TLS-encrypted stream in a capture, this article may help you.
One thing I ran into is: Chrome doesn't always fully close when you close the window. Sometimes it stays open in the background. Use the Windows Process Explorer to list all the processes and make cure Chrome is closed. Also, after restarting Chrome, you can double click on it in Process Explorer and select the Environment tab to list all the variables set in it's environment. Make sure SSLKEYLOGFILE is shown in that list. Then Chrome will be sending keys to the specified file.
First off all the problem is that the browsers are protected better and that flaw is patched, thats why you cant capture no ssl. I dont know the details. But chrome with --no-sandbox(linux) option on ,when running will enable you to capture ssl/tls key without any issues from the first try, so you can play with decription of packets. Never tried on windows btw..
This worked for me...
set the SSKEYLOG env: variable as normal in Linux.
just point it to your pefererd save location of the sslkey.log
windows system/advance/env vars/user variables.
add SSLKEYLOGfile with the path to your preferred save location C:/user/sslkey.log
close and your done here.
NSS_ALLOW_SSLKEYLOG=1 is what's missing from the Booleans in Firefox's advanced options.
its been also removed from the general release but is still in the dev ops version. just not listed.
download and install the dev ops version of Firefox
open a terminal start it from its exe if on Linux.
windows just open it from the icon.
go to the about:config
create a new Boolean with NSS_ALLOW_SSLKEYLOG=1 and set it to true.
quit
now create a new symbolic/icon link to the new dev version fire fox version
when you run Firefox from the terminal in Linux the sskeylog should be created and start populating.
run it from the task bar icon in Linux and it doesn't make or update the keylog (just in case you dont want it populating every time you open the browser).
in windows, you will have to disable the env var or it will keep populating every time you open any browser that supports sslkey logging.
on that note opera and vivaldi should work with no changes to the advanced option.
lastly.. open wireshark go to
edit/preferences/protocols/tls
and put the path to the sslkey.log in the pre master secret log box.
click ok.
close everything..
start Wireshark
start your browser (from terminal in linux).
you should start seeing sslkeylog start populating and see extra options for decryption in the tabs of Wireshark.
have fun :)
1st solution:
Restart Chrome
2nd solution:
Use Firefox
Related
Google Chrome is ignoring the settings in C:/Windows/System32/drivers/etc/hosts file. Both IE11 and Firefox are installed on the same machine and work as expected.
I've tried all the solutions I could find online including:
Open chrome://net-internals/#dns and click the Clear Hosts Cache button.
Go in Settings, Show Advanced Settings and uncheck the following three options: (X) Use a web service to help resolve navigation errors (X) Use a prediction service to help complete searches and URLs typed in the address bar (X) Use a prediction service to load pages more quickly
Go in Settings, Show Advanced Settings, click the Clear Browsing Data button, selected Cached Images And Files from the beginning of time, and click Clear Browsing Data.
Restart Chrome.exe.
Restart the computer.
Make sure to add http:// to the front of the web address.
Make sure proxy settings are turned off
Run cmd.exe and run ipconfig /flushdns
Uninstall and reinstall Chrome
I'm at a loss... Is there anything I missed that I can try or check?
Seems that Chrome doesn't likes the following extensions for that kind of stuff:
.dev
.localhost
.test
.example
.app
Use .local and the problem seems to disappear.
If anyone stumbles on this problem in 2021, for me the fix was to disable Use secure DNS option from chrome settings. After disabling that, all the options in the hosts file started working.
The option is located under Privacy and Security > Use secure DNS
Link to get there faster:
chrome://settings/security
This has been identified as a "bug" in Chrome, but it appears to be absolutely intentional behavior. Google Chrome does not honor /etc/hosts when connected to the Internet. It always does a DNS lookup to determine IP addresses.
While my references below mostly relate to my expereinces with this on Linux, it is not confined to Linux.
https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/iKXqyc40tW0
https://superuser.com/a/887199/75128
https://bugs.chromium.org/p/chromium/issues/detail?id=117655
Okay I faced the same problem but then I found the solution.
Try this:
Go to history (Ctrl+H) -> In the left pane click on Clear browsing data
In the new window that opens go to Advanced tab
Set Time Range to All Time -> check Cached Images and Files -> click on Clear data
Restart your computer, It should start redirecting addresses mentioned in Hosts file (C:\Windows\System32\drivers\etc\hosts)
Note: This Solution is only for Google Chrome
Try clearing the DNS Cache:
1) run cmd.exe as administrator
2) type: ipconfig /flushdns
I just encountered this tonight and none of these options worked. I discovered that Chrome now hides "www" (https://www.howtogeek.com/435728/chrome-now-hides-www-and-https-in-addresses.-do-you-care/). Chrome was using my hosts file, but I had to add "www." to my hostname in my hosts file since that's what the browser is actually requesting, even if it doesn't show it.
A little late, but after hours i find a solution. It seems that Google Chrome sometimes has problems on recognize the name of the hosts defined en /etc/hosts.
I'm using linux and i'm behind a proxy.
Try adding at the end of the name server: .localhost
Example:
At: /etc/hosts:
127.0.0.1 myservername.localhost
On the virtual-hosts of your server configuration you'll need to rename the server name. In my case, i'm using apache so at /etc/apache/sites-enabled/myserver.conf rename the line of the old server name with:
...
ServerName: myservername.localhost
If you are behind a proxy, you can except all the hosts just adding to the no_proxy vars:
$no_proxy= "localhost"
Finally don't forget to restart the server and try to access on the browser with the new server name.
😊 simple answer 😊
there are 3 workarounds about this:
1- deleting Visited Links binary file (beauty👍)
2- using .local or .app instead of your desired TLD (standard & preferred by chrome docs but i don't like it)
3- restarting your computer (ugly👎)
deleting Visited Links binary:
kill all chrome tasks (close all chrome windows:))
delete C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data\Default\Visited Links binary
you can define a function in your shell profile to perform this fast and just by a command whenever you face this issue: e.g:
function respectHosts () {
$path = $HOME + "\AppData\Local\Google\Chrome\User Data\Default\Visited Links";
Remove-Item $path;
}
important Note:
it is suggested that first time after deleting Visited Links binary file, also delete your history cause if you use a url from history, actually you are using the cached dns of that url too:
Running Chrome 105 on Windows 11, nothing seemed to work until I added ::1 (i.e. ipv6) in addition to 127.0.0.1. For example:
127.0.0.1 local.foo.com
::1 local.foo.com
While it was stated that no proxy is being used, I have had the same issue on OS X while using a proxy and the eventual solution was to add a proxy-exception for this domain.
What the OP could try is turn off async DNS via command-line switch as
mentioned here in 2015:
Async DNS: Remove toggle from about:flags
Async DNS is fairly stable at the moment, so we don't really need the
toggle in about:flags anymore. (Note that the --enable-async-dns and
--disable-async-dns command-line flags will still work for now.)
This, however, seems to have no effect in my case, as chrome://net-internals/#dns still displays the internal DNS-client as enabled with no obvious way to turn it off.
Had a similar issue working from a windows based server that had proxy settings. In the proxy advanced settings there are 2 options that can help. Ignore proxy setting for local hosts which is a check box; as well as a list of addresses set off my semi-colons where you can except out certain IP destinations. This fixed my issue.
For me
chrome://net-internals/#sockets
Flush socket pools work wonder, credit: https://superuser.com/a/611712
I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?
You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:
set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
run chrome with argument e.g.:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).
Update: according to #Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.
I have solved it!
You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.
Chrome has a default options let chrome run in background enabled.
Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.
That's why --ssl-key-log-file don't working, chrome stills alive after you click exit button.
Try Firefox Developer edition, the above mentioned feature is turned on by default. I tested yesterday only.
Some antiviruses (like Avast) inject the SSLKEYLOGFILE environment variable into well-known processes like firefox.exe and chrome.exe. If you rename the browser executable file and launch that, then the environment variable won't be overridden.
Try to close your current browsing session, it behave like you just add a new path to PATH, only work from the new session and so on.
Besides what they have already pointed out, I want to show three points that may help. These are tips for Linux (CentOS)
Make sure the file that related to SSLKEYLOGFILE can be written and read, to make sure you can use:
chmod -R 777 sslkey.txt
Make sure your Firefox or Chrome is opened under the same user with the file mentioned, for example under root.
Find some useful comments here
I keep getting this browser (chrome) notification saying
Adobe Flash Player was blocked because it is out of date. Update, Run This Time
If I click run this time it allows me to run any flash content on current page but same notification on new page. If however, I click update plugin it takes me to this Chrome support page. I follow instructions and go to chrome://plugins which give me a url under Adobe Flash Player which is following Download Critical Security Update and as you see this again links me to the Google support page with instructions on how to update and that I've already been on.
I encountered the same issue with Chrome on my Linux system.
Here is my solution for Linux system:
Install chrome 55+, if you have an older version.
Download flash player,
url: http://get.adobe.com/flashplayer/
step 1 - os
choose "linux 64 bit",
step 2 - version
choose "FP xx for linux 64-bit (.tar.gz) - PPAPI",
Download,
Uncompress,
Copy files in the directory into ~/.config/google-chrome/PepperFlash/,
Make it executable via: chmod +x libpepflashplayer.so
Append parameter to chrome's start command,
Where is the command:
(1) for icon,
right click icon -> properties, there is "command" input,
(2) for shortcut,
config the shortcut,
The parameter to append is:
--ppapi-flash-path=/home/eric/.config/google-chrome/PepperFlash/libpepflashplayer.so
e.g.
/usr/bin/google-chrome-stable %U --ppapi-flash-path=/home/eric/.config/google-chrome/PepperFlash/libpepflashplayer.so
Restart chrome,
Now the flash should work.
I assume you have solved your issue by now, but for the benefit of others: Flash is now provided as a so-called component and updated separately from the main Chrome application. I would therefore suggest first checking chrome://components and manually check for an update there.
By the way, the same is true for the Widevine DRM component, which if not up-to-date may stop Netflix, etc. from running.
I know how to enable chrome's crash reporting interactively:
Menu > Settings > Show advanced settings > Tick "Automatically send usage statistics and crash reports to Google"
However, I'm using chrome in an automated testing setup where we set a new --user-data-dir for each run (so there are no persisted settings, we just get the defaults). Chrome is crashing occasionally (running our javascript/html application) and I would like to be able to report these crashes.
I thought I could add --enable-crash-reporter (according to the List of Chromium Command Line Switches), but that doesn't seem to do anything. (We already pass --enable-logging and a couple other flags on the command line.)
I have a test that triggered an "Aw, Snap":
But if I download the user-data-dir for that run and and point chrome at it, and then visit chrome://crashes, it says crash dumps are not enabled.
(The chrome_debug.log does not say anything about the Aw-Snap either.)
We're running chrome under Xvfb on Debian. We're driving chrome via the direct webdriver (from Protractor).
According to the "crashpad with content shell" docs, the steps for using crashpad with content shell (a stripped down version of Chrome):
Create some directory for your crash dumps to go to (the docs suggest tmp/crashes on Linux and Mac, %TEMP%\crashes on Windows, and /data/local/tmp/crashes on Android)
Start Chrome with --enable-crash-reporter --crash-dumps-dir=<your_dump_dir> (looks like you got half of this)
So I'd try adding the --crash-dumps-dir flag.
Using Google Chrome 38.0.2125.111 m in a Windows 7 environment. It is launched by a batch file & set to go to a specific (internal) URL. The Windows environment is going to be locked down, permitting only a handful of options available to the user.
Chrome is being used because IE will be accessing a different site. Without going into boring detail, using both sites on a single browser allowed a user to access an account that wasn't theirs. Both browsers will be launched using one of two batch files. The Chrome batch file supplies the username & password to bypass a login screen on that application.
To keep from opening multiple windows in Chrome, the following batch file is used:
taskkill /f /t /im chrome.exe > NUL
ping -n 3 127.0.0.1 > NUL
START /max chrome "http://myinternalwebsite?uid=x&pwd=y"
Taskkill is used to close chrome (/f = force /t = terminates process & any child ones /im = image name).
If the Chrome session is closed (using the X at the upper right corner of the screen), the batch file works fine. However, if there is already a chrome instance running, we get the yellow bar with the frowning folder & a message saying:
Google Chrome didn't shut down correctly. To reopen the pages you had
open, click Restore.
I have tried several command line options when launching Google Chrome, but none will keep the message from displaying. Ones I have tried are:
--disable-restore-session-state
--disable-session-crashed-bubble
--incognito
among others. I've experimented with some of the settings in Chrome, but none have (yet) worked. The --incognito option works - sort of. It keeps blocking plugins, one of which is Silverlight - one of the chief components for the website to function. Even though it does get rid of the message, it leaves the site not functioning properly.
The intent on using Taskkill to flush any existing Chrome sessions was to prevent the user opening up a dozen different Chrome instances of the same thing.
Is there any way to keep a user from opening multiple instances of Chrome that won't leave Chrome thinking it didn't close properly? Given the user restrictions, I'm not sure that a script/batch file to edit the Preferences file in the Chrome folder will work. An extension may be an option, but a third party application will not be.
Would appreciate any thoughts or assistance.
Thanks!
Chromium writes exit status into Preferences file. When it starts it writes Preferences file with:
"exited_cleanly": false
and upon clean exit writes Preferences file with:
"exited_cleanly": true
To prevent message about unclean shut down make sure that you have "exited_cleanly": true written in your Preferences file
On my Linux kiosk running on Raspberry Pi this sed command line added to /etc/rc.local fixes issue permanently:
sed -i 's/exited_cleanly\":\ false/exited_cleanly\":\ true/g' /home/pi/.config/chromium/Default/Preferences