Topic: Export symmetric session keys

Dear developers,

I'm looking for a way to establish a TLS 1.3 connection between a server and a client using WolfSSL, and extract the symmetric session key that the two parties have agreed upon. For example, assuming I use the cipher suite TLS13-AES128-GCM-SHA256, I expect that both parties agreed on a shared symmetric key of 128 bits for AES-GCM.

What API do you recommend to use for exporting this secret? After some investigations, I could see we may register a callback with wolfSSL_set_tls13_secret_cb for secret exportation, but it is unclear if this function really exposes the symmetric key.

I will then later use this ephemeral symmetric key with WolfCrypt for encrypting/decrypting secrets.

Many thanks!


Re: Export symmetric session keys

Hi Keterna,

Welcome to the wolfSSL Forums! Yes, you are on the right track. You'll need to define HAVE_SECRET_CALLBACK to access the wolfSSL_set_tls13_secret_cb API.

Here is a client example that writes the shared secret to a log file, which can then be used to decrypt the packets in wrieshark: … nt-tls13.c

Here is the analogous server example: … er-tls13.c

Could you tell us a bit more about your project? Feel free to email if you'd prefer a less public discussion.

Eric - wolfSSL Support

Come see us at Black Hat in Las Vegas August 9th & 10th, booth #2617!