Decoding TLS 1.3 handshake with wireshark
Follow these steps to decode encrypted handshake messages using wireshark. I used a chrome browser on my mac for this
- Open ‘Terminal’ on you mac and setup the environment variable SSLKEYLOGFILE
export SSLKEYLOGFILE=”/Users/<account_name>/keyfile”
2. Open wireshark on your mac and start capture (use the latest version of wireshark — I used Version 3.4.6 here)
3. Open chrome using the same terminal you used to set the environment variable
open -a “Google Chrome”
4. Use chrome to open www.youtube.com and start streaming
5. Once wireshark has captured enough packets, you can stop the capture
6. On your wireshark application navigate to preferences
Wireshark → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename
Browse.. and point it to the file you created in #1
/Users/<account_name>/keyfile
Your wireshark now can decode the TLS/QUIC handshake