We are excited to announce that the wolfSSL sniffer now supports TLS session decryption for recorded TLS traffic using a SSLKEYLOGFILE!
If you didn’t already know about our sniffer tool, it is a utility library built into wolfSSL that can be used to capture and decrypt live traffic or recorded PCAP traces. Previously, the sniffer could only decrypt traffic from sessions where either the static private key (RSA, ECC) or the ephemeral key (DHE, ECDHE) was known and able to be provided to the sniffer at runtime. This required keeping track of the private or ephemeral key files for every session you wanted to sniff, which was cumbersome for packet captures containing a large number of sessions, especially for TLS v1.3 where each session would require a new ephemeral key to decrypt.
If your server or client is able to generate a key log file (which wolfSSL can do with the `–enable-keylog-export` option), you can now simply register this file with the sniffer and the sniffer will be able to decrypt all applicable traffic in your packet capture, regardless of the cipher suite used!
To build wolfSSL with the sniffer enabled use the `–enable-sniffer` configure option. To enable key log file support in the sniffer, simply define `WOLFSSL_SNIFFER_KEYLOGFILE`:
./configure --enable-sniffer CFLAGS=“-DWOLFSSL_SNIFFER_KEYLOGFILE”
WolfSSL provides the snifftest demo application that demonstrates how to use the sniffer library to sniff traffic from both live and recorded packet captures. Using the snifftest app to sniff traffic from a packet capture with an associated key log file is as simple as running:
# Sniffs traffic from a server at 127.0.0.1 on port 11111 ./snifftest -pcap /path/to/your.pcap \ -keylogfile /path/to/your/keylogfile.log \ -server 127.0.0.1 \ -port 11111
For more information and examples showing how to get started with the sniffer, please refer to the snifftest demo application and README.