Decoding TLS 1.3 handshake with wireshark

Follow these steps to decode encrypted handshake messages using wireshark. I used a chrome browser on my mac for this

1. Open ‘Terminal’ on you mac and setup the environment variable SSLKEYLOGFILE

export SSLKEYLOGFILE=”/Users/<account_name>/keyfile”

2. Open wireshark on your mac and start capture (use the latest version of wireshark — I used Version 3.4.6 here)

3. Open chrome using the same terminal you used to set the environment variable

open -a “Google Chrome”

4. Use chrome to open www.youtube.com and start streaming

5. Once wireshark has captured enough packets, you can stop the capture

6. On your wireshark application navigate to preferences

Wireshark → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename

Browse.. and point it to the file you created in #1

/Users/<account_name>/keyfile

Your wireshark now can decode the TLS/QUIC handshake