zdohnal
commented
1 year ago Hi Mike,
I was able to decrypt TLS connection with Wireshark (3.6.10) +tcpdump with following steps:
Prereq:
- the uri has to be 'https'
- invocation of packet sniffer has to happen in the same terminal tab and not from different one nor from launcher, unless you define the variable in ~/.bashrc and restart the terminal
Steps:
$ export SSLKEYLOGFILE=$HOME/Desktop/keylogfile.txt
$ env | grep "SSLKEYLOGFILE" # has to be defined where you start the command which starts the communication you want to investigate - I made a mistake to run the tcpdump in a different terminal, where the variable wasn't defined
$ sudo tcpdump -s0 -w file.pcap -i any host <printer_ip> &
(reproduce the issue - from the same terminal tab - and end the tcpdump process)
$ ipptool -tv https://192.168.1.1/ipp/print get-printer-attributes.test then go to Wireshark -> Edit -> Preferences -> Protocols -> TLS and put the path from env variable to (Pre)-Master-Secret log filename box.
In the end open the captured file in Wireshark and you should see the decrypted packets.
However this is useless if we want to debug real driverless temporary/permanent queue communication, which always uses ipp or ipps - I've asked wireshark upstream whether there is a way how to tackle it https://gitlab.com/wireshark/wireshark/-/issues/18825 .
Since Wireshark can't decrypt modern TLS traffic (forward secrecy), it would be nice for ipptool to provide a way to log all traffic going over a connection to a file so that the decrypted data is available for analysis.