mitmproxy: SSL keys not decrypting in Wireshark
And I'm not sure why.
mitmproxy installed with pip on Kali Linux.
Run using $ SSLKEYLOGFILE="$PWD/.mitmproxy/sslkeylogfile.txt" mitmproxy as per https://docs.mitmproxy.org/master/howto-wireshark-tls/
Firefox using FoxyProxy with proxy to 127.0.0.1:8080. Certificate installed.
Wireshark configured to use sslkeylogfile.txt also as per above docs.
And then go.
mitmproxy sees traffic:
SSL key log file adds keys:
And Wireshark captures traffic, but nothing is decrypted:
As would be expected with successful SSL key usage https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/
What am I doing wrong?
Thanks
MitmProxy has at the moment an open issue that prevents writing a correct SSLKEYLOGFILE when TLS 1.3 is used.
Therefore my recommendation would be to disable TLS 1.3 for connections from client to MitmProxy and for connections from MitmProxy to the server. This can be done using the following command-line options:
--set ssl_version_server=TLSv1, TLSv1_1, TLSv1_2
--set ssl_version_client=TLSv1, TLSv1_1, TLSv1_2
See also MitmProxy documentation: https://docs.mitmproxy.org/stable/concepts-options/
Edit: According to the comments in the issue the problem with TLS1.3 should be solved since Mitmproxy version v6.0.0 (released Dec 13, 2020).
- "aborting due to insecure configuration" while configuring TLS on Rust rocket server
- How to wrap net.Conn.Read() in Golang
- " An operation was attempted on something that is not a socket" when I try to add SSL authentication
- Error Importing SSL certificate : Not an X.509 Certificate
- SSL verification error at depth 0: unable to get local issuer certificate (20)
- Keycloak SSL setup using docker image
- Make OpenSSL accept expired certificates
- .NET Framework equivalent of IApplicationBuilder.UseForwardedHeaders()
- Setting up SSL on a local xampp/apache server
- Problem when installing Python from source, SSL package missing even though openssl installed
- NGINX to reverse proxy websockets AND enable SSL (wss://)?
- Is it safe sharing Self-signed certificate to other persons?
- curl - Is data encrypted when using the --insecure option?
- SSL certificate installation on Wildfly server
- Enable SSL for my WCF service
- Gracefully Shutdown TLS connection in C OpenSSL
- Google Chrome localhost | NET::ERR_CERT_AUTHORITY_INVALID
- IntelliJ changes cipher spec after I set it in the properties
- How to change/tweak Python 3.10 default SSL settings for requests - sslv3 alert handshake failure
- SSL peer shut down incorrectly in Java
- TLS/SSL Connection for MQTT in java
- Nginx does redirect, not proxy
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Android System.err: javax.net.ssl.SSLHandshakeException: Handshake failed
- Error when importing ssl in Python 3.7.4 on macOS 10.14.6
- Can send an SSL message via mosquitto but getting CERTIFICATE_VERIFY_FAILED from python paho script
- How to make Python use CA certificates from Mac OS TrustStore?
- How to set Telegram bot webhook?
- Is there a way to make Firefox ignore invalid ssl-certificates?
- How to establish TLS session in python using PKCS11