I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?
You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:
set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
run chrome with argument e.g.:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).
Update: according to #Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.
I have solved it!
You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.
Chrome has a default options let chrome run in background enabled.
Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.
That's why --ssl-key-log-file don't working, chrome stills alive after you click exit button.
Try Firefox Developer edition, the above mentioned feature is turned on by default. I tested yesterday only.
Some antiviruses (like Avast) inject the SSLKEYLOGFILE environment variable into well-known processes like firefox.exe and chrome.exe. If you rename the browser executable file and launch that, then the environment variable won't be overridden.
Try to close your current browsing session, it behave like you just add a new path to PATH, only work from the new session and so on.
Besides what they have already pointed out, I want to show three points that may help. These are tips for Linux (CentOS)
Make sure the file that related to SSLKEYLOGFILE can be written and read, to make sure you can use:
chmod -R 777 sslkey.txt
Make sure your Firefox or Chrome is opened under the same user with the file mentioned, for example under root.
Find some useful comments here
Related
My operating system is Windows 10 64 bits. I use the latest versions of Firefox and Chrome.
I want to save the pre-master keys in order to use them with WireShark.
For this, I have found many tutorials that all recommend using the SSLKEYLOGFILE environment variable.
However, no matter the path I put in this variable, no file is being created by Firefox (normal and developer editions) or Chrome. This is true even when I restart those browsers or the operating system. This is also true when I clear the cache on the browsers.
I found an alternative way of setting the SSLKEYLOGFILE variable with Chrome by launching the browser with the following argument:
--ssl-key-log-file=PATH
And while this argument does create a log file, it is never populated. It remains completely empty.
What makes this problem even more annoying is that I don't know if there's any debug log that would at least let me know what's happening.
Anyone have ideas on how to solve this issue?
Verified in both Chrome and Firefox
Windows 10 64bit [Version 10.0.17763.379]
I would not use the --ssl-key-log-file flag with Chrome. In my testing, it does not have an effect.
Steps to get SSL keylog file
Change your directory to one that you or your programs have access to. I am using the Desktop folder.
C:\> cd $HOME\Desktop
Set the SSLKEYLOGFILE variable. This sets it for the user (HKCU). To set it for the machine (HKLM), add the /m flag to the end of the command.
PS C:\Users\rj\Desktop> SetX SSLKEYLOGFILE "$(get-location)\ssl.log"
Verify that the variable has been set in a separate powershell window (SetX does not apply to the current window).
PS C:\Users\rj\Desktop> Get-ChildItem ENV: | findstr SSLKEYLOGFILE
SSLKEYLOGFILE C:\Users\rj\Desktop\ssl.log
You can also verify that SSLKEYLOGFILE is a user variable by going to the Control Panel > System and Security > System > Advanced System Settings > Advanced tab > Environment Variables > User Variables. You should see a listing like the powershell example where the value is a directory.
Open Chrome/Firefox and go to an https website like https://stackoverflow.com.
You should see an ssl.log show up on your desktop.
Image of end result
Further Reading
2018-12-07, F5, Decrypting SSL traffic: Great article on doing the above, but cross-platform
2019-03-18, Mozilla, NSS Key Log Format
: The SSLKEYLOGFILE format
2018-08-17, Wireshark Bugzilla, Add TLS 1.3 support: Has good test pcap/SSLKEYLOGFILE contents for TLS1.3 (See Comment 83)
You mentioned that you are using Wireshark. If you using it to export a file from a TLS-encrypted stream in a capture, this article may help you.
One thing I ran into is: Chrome doesn't always fully close when you close the window. Sometimes it stays open in the background. Use the Windows Process Explorer to list all the processes and make cure Chrome is closed. Also, after restarting Chrome, you can double click on it in Process Explorer and select the Environment tab to list all the variables set in it's environment. Make sure SSLKEYLOGFILE is shown in that list. Then Chrome will be sending keys to the specified file.
First off all the problem is that the browsers are protected better and that flaw is patched, thats why you cant capture no ssl. I dont know the details. But chrome with --no-sandbox(linux) option on ,when running will enable you to capture ssl/tls key without any issues from the first try, so you can play with decription of packets. Never tried on windows btw..
This worked for me...
set the SSKEYLOG env: variable as normal in Linux.
just point it to your pefererd save location of the sslkey.log
windows system/advance/env vars/user variables.
add SSLKEYLOGfile with the path to your preferred save location C:/user/sslkey.log
close and your done here.
NSS_ALLOW_SSLKEYLOG=1 is what's missing from the Booleans in Firefox's advanced options.
its been also removed from the general release but is still in the dev ops version. just not listed.
download and install the dev ops version of Firefox
open a terminal start it from its exe if on Linux.
windows just open it from the icon.
go to the about:config
create a new Boolean with NSS_ALLOW_SSLKEYLOG=1 and set it to true.
quit
now create a new symbolic/icon link to the new dev version fire fox version
when you run Firefox from the terminal in Linux the sskeylog should be created and start populating.
run it from the task bar icon in Linux and it doesn't make or update the keylog (just in case you dont want it populating every time you open the browser).
in windows, you will have to disable the env var or it will keep populating every time you open any browser that supports sslkey logging.
on that note opera and vivaldi should work with no changes to the advanced option.
lastly.. open wireshark go to
edit/preferences/protocols/tls
and put the path to the sslkey.log in the pre master secret log box.
click ok.
close everything..
start Wireshark
start your browser (from terminal in linux).
you should start seeing sslkeylog start populating and see extra options for decryption in the tabs of Wireshark.
have fun :)
1st solution:
Restart Chrome
2nd solution:
Use Firefox
Today (Mar, 15, 2016) chrome stopped working with the --disable-web-security flag. I have tried the following options described in various posts:
1) Kill all instances of Chrome.exe in the windows task manager.
2) add the --use-data-dir flag, there is a current post regarding this, but the answers there do not work anymore
Here is my script I am using:
start chrome.exe --disable-web-security --allow-running-insecure-content --use-data-dir=c:/temp/chrome_dev
Chrome opens under this script with the disable security warning but localhost cross domain calls still fail:
I have solutions that are using --disable-web-security.
Finally I found solution. Now chrome just will accept it if you set --user-data-dir together.
You will have different instances when you use it.
Try it:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:\chrome"
For linux
google-chrome --user-data-dir=”/var/tmp/Chrome” --disable-web-security
I suggest a temp directory
Just for OS X user, this worked for me (on El Capitan): /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --user-data-dir="<some-dir>"
Also works on Yosemite 10.10.5. Please note that --user-data-dir may no longer be left empty. You have to specify some dir.
This doesn't work anymore, since Chrome 80. You have to specify a non-default --user-data-dir to make it work now.
Original answer:
You can use your existing data dir, if you don't want to create a new one.
So on Linux the command to start unsafe Chrome will be something like this:
google-chrome --user-data-dir=/home/<your username>/.config/google-chrome --disable-web-security
But don't use this Chrome instance for anything except development or debugging, since it's open for a vast amount of web attacks.
This works with chrome 61 too for me -
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
Update: I have found a permanent solution for this disable web security issue.
step 1: create 1 chrome app shortcut on desktop and rename it anything like "disabled-security.exe"
step 2: right click on icon and go to properties => change target input box to something like following eg. and save it.
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-site-isolation-trials --user-data-dir=c:\chromeSession
step 3: launch this app, it will work fine as expected
Note: everytime you need to clear folder "c:\chromeSession" before opening this app
Do not disable web security. You're opening your accounts to attacks and your local files to being stolen.
Instead use a simple web server. It will take you all of 2 minutes to install and use. Here's one with a gui, and here's several more that run from the command-line
We have google chrome extension that needs to be used inside our organization. We have domains there.
Based on enterprise options the easiest approach for us is to host it on some internal web server, and then add address of that internal site as ExtensionInstallSources option to users PC via Group policies, but this does't work for me.
I've tried both registry and local Group Policy changes by adding Google Chrome adm\admx files.
Here is my registry change:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallSources]
"1"="http://localhost/*"
When i'm checking chrome://policy - it displays that it loaded this settings. But when i open http://localhost/myextension.crx - Chrome still displays an error that extension can't be installed from there...
I'm using 47.0.2526.106 m (64-bit) under Windows 8.1 Enterprise (x64)
What i'm doing wrong here?
I have more complicated option to download chrome source\pdbs, and then try to debug it to get understanding why it's not working but it may take a lot of time, as Chrome can compile for a couple of hours on Windows at first build....
So apparently this registry change just wasn't enough. After debugging chrome source i found why it doesn't work for me. I missed:
The referer MUST be present and it also should be whitelisted. So if i open url for my extension by direct link, then as referer is missing - it won't install it. (Oh Chrome, at least you could say with message about it...). If i have web page that has link to that extension, and it's also whitelisted, then it will work fine.
Second missed point was that extension id MUST be present in ExtensionInstallWhitelist, otherwise Chrome will install it and with 2-3 seconds delay will disable it. But if you have listed it under ExtensionInstallWhitelist, then it will be fine.
So my final registry change for localhost is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallSources]
"1"="http://localhost/*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1"="fhojekmcngnmkdbcoegjdlojgfngkpak"
I found it after long debugging in ExtensionManagement class - https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/extensions/extension_management.cc&q=ExtensionManagement::IsOffstoreInstallAllowed&sq=package:chromium&type=cs&l=148
I know how to enable chrome's crash reporting interactively:
Menu > Settings > Show advanced settings > Tick "Automatically send usage statistics and crash reports to Google"
However, I'm using chrome in an automated testing setup where we set a new --user-data-dir for each run (so there are no persisted settings, we just get the defaults). Chrome is crashing occasionally (running our javascript/html application) and I would like to be able to report these crashes.
I thought I could add --enable-crash-reporter (according to the List of Chromium Command Line Switches), but that doesn't seem to do anything. (We already pass --enable-logging and a couple other flags on the command line.)
I have a test that triggered an "Aw, Snap":
But if I download the user-data-dir for that run and and point chrome at it, and then visit chrome://crashes, it says crash dumps are not enabled.
(The chrome_debug.log does not say anything about the Aw-Snap either.)
We're running chrome under Xvfb on Debian. We're driving chrome via the direct webdriver (from Protractor).
According to the "crashpad with content shell" docs, the steps for using crashpad with content shell (a stripped down version of Chrome):
Create some directory for your crash dumps to go to (the docs suggest tmp/crashes on Linux and Mac, %TEMP%\crashes on Windows, and /data/local/tmp/crashes on Android)
Start Chrome with --enable-crash-reporter --crash-dumps-dir=<your_dump_dir> (looks like you got half of this)
So I'd try adding the --crash-dumps-dir flag.
I found the new change that you can't install Chrome extensions/userscripts without saving them and dragging them into Chrome quite annoying. As such I have set forth to revert this to the old way it was.
I read the documentation here: http://www.chromium.org/administrators/policy-list-3#ExtensionInstallSources that says to add a registry key and so I have done, as shown below. However when attempting to install an extension I still get an error that they can only be installed from the Chrome webstore. Did I add the registry entries wrong or something?
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallSources]
"1"="http://*"
"2"="https://*"
This answer is obsolete as of Chrome 36
Instead of editing the registry, you can also make Chrome to behave in the old way via the --enable-easy-off-store-extension-install flag.
Under Windows, create a shortcut to your Chrome executable. Then edit the shortcut, and append --enable-easy-off-store-extension-install to "Target". See the screenshot below:
Some observations:
I've added the --enable-easy-off-store-extension-install flag after chrome.exe.
After starting Chrome, I visited a website that links to a .crx file that is not hosted in the Chrome web store.
Because of the flag, Chrome 20 doesn't show the "Extensions, apps, and user scripts can only be added from the Chrome Web Store" message any more. Instead (see bottom), Chrome asks me whether it's OK to install the extension - exactely as before.
This command line switch also works for Chromium/Chrome, under Linux and OSX.
If you ever find yourself in the situation where the --enable-easy-off-store-extension-install flag doesn't work (e.g. future version?) or you don't want to use it, then there is an alternative method.
You can install extensions with a plain vanilla install of Chrome by dragging .CRX extension files onto the Extensions panel in Settings.