0

I follow that guide https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/ to set up Wireshark to decrypt TLS traffic.

I added export SSLKEYLOGFILE=~/.ssl-key.log to ~/.bash_profile on MacOS and now when I start browser like Firefox from same terminal window open -a firefox I see the ssl-key.log file grow in size. However, when I started JMeter also from same terminal window and have run several http samplers with https protocol, ssl-key.log did not grow.

I could not find info on the subject via web search for tls wireshark decrypt jmeter. How to decrypt it? I need not only responses matched to requests which are captured in e.g View Results Tree in JMeter but also technical packets, in particular Encrypted Alert ones.

Alex Martian
  • 3,423
  • 7
  • 36
  • 71

1 Answers1

1

JMeter knows nothing about this SSLKEYLOGFILE environment variable, if you want to capture encrypted traffic originating from JMeter via Wireshark you will need to go for RSA key approach

First you need to get the private key from the website you're testing.

Once done you need to configure protocol dissector using the aforementioned private key in Wireshark - Preferences - Protocols - TLS

enter image description here

Once done you should be able to decrypt the outgoing requests using Wireshark.

If you cannot obtain the RSA private key from the website you're testing you can still attempt to obtain it using JMeter's HTTP(S) Test Script Recorder you need to first generate a MITM proxy keystore and make JMeter aware of this keystore by modifying the following JMeter Properties:

proxy.cert.file=proxyserver.jks
proxy.cert.type=JKS
proxy.cert.keystorepass=mc3VZAuZvgYzt6pIQq3w
proxy.cert.keypassword=BFsghQ0GBN7SxI0HWpkr

Then you need to convert JKS keystore to PKCS12 via i.e. keytool command

keytool -importkeystore -srckeystore proxyserver.jks -destkeystore proxyserver.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mc3VZAuZvgYzt6pIQq3w -deststorepass mc3VZAuZvgYzt6pIQq3w

Next you can extract encrypted RSA private key from the .p12 keystore:

openssl pkcs12 -in proxyserver.p12 -nocerts -out encrypted.key -password pass:mc3VZAuZvgYzt6pIQq3w -passout pass:mc3VZAuZvgYzt6pIQq3w

And finally decrypt the private key for later use in Wireshark:

openssl rsa -in encrypted.key -out decrypted.key -passin pass:mc3VZAuZvgYzt6pIQq3w

The generated RSA key file can be used in Wireshark

enter image description here

Marinos An
  • 9,481
  • 6
  • 63
  • 96
Dmitri T
  • 159,985
  • 5
  • 83
  • 133
  • Dmitri, thank you. I'm not much into cryptography, maybe you can clarify: 1) does your way make session use single RSA w/out forward secrecy with many random keys? 2) if yes to (1) how many magnitudes longer would it take to make JMeter know about SSLKEYLOGFILE and work with it same way as browsers do (by changing source code of HTTP sampler maybe...)? – Alex Martian Nov 12 '19 at 09:54