[GH-ISSUE #552] Is SSLKEYLOGFILE functionality possible for TLS decoding in wireshark? #402

New issue

Closed

opened 2026-02-25 21:34:56 +03:00 by kerem · 2 comments

kerem commented

2026-02-25 21:34:56 +03:00

Owner

Originally created by @smitgd on GitHub (Feb 11, 2022).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/552

💬 Question

I was wanting to look at the TLS encoded IMAP (and in the future JMAP) transactions sent in wireshark like you can do with thunderbird with env var SSLKEYLOGFILE. I haven't found a way to have a keylog file be written by cypht or its components (apache, php etc). I'm currently using apache as webserver.
I did find this method but nothing gets saved to the keylog file except the comment line # Automatically generated by sslkeylog.py: https://stackoverflow.com/questions/66995564/php-fpm-and-sslkeylogfile-issue
Or maybe there is an internal cypth generated log that shows the cleartext packets sent and received from the server?

Originally created by @smitgd on GitHub (Feb 11, 2022). Original GitHub issue: https://github.com/cypht-org/cypht/issues/552 ## 💬 Question  I was wanting to look at the TLS encoded IMAP (and in the future JMAP) transactions sent in wireshark like you can do with thunderbird with env var SSLKEYLOGFILE. I haven't found a way to have a keylog file be written by cypht or its components (apache, php etc). I'm currently using apache as webserver. I did find this method but nothing gets saved to the keylog file except the comment line ```# Automatically generated by sslkeylog.py```: https://stackoverflow.com/questions/66995564/php-fpm-and-sslkeylogfile-issue Or maybe there is an internal cypth generated log that shows the cleartext packets sent and received from the server?

kerem closed this issue

2026-02-25 21:34:56 +03:00

kerem commented

2026-02-25 21:34:56 +03:00

Author

Owner

@smitgd commented on GitHub (Feb 14, 2022):

I did get the method above to sort-of work but it only seemed to work for TLSv1.2 and not 1.3. I don't know if I'm missing something but it appeared that the required package php-fpm was actually not being used by default. To get it to be used I did as described here: video link. Then on restart of apache2 the keys were written to the file after I run this: sudo SSLKEYLOGFILE=<path-to>/premaster.txt gdb -batch -ex skl-batch -p `pidof php-fpm7.4` Since this uses breakpoints on the source code and was determined before TLSv1.3 was in use, it doesn't output the correct stuff unless TLSv1.2 or earlier is in use. I tried to force the usage of no higher than 1.2 by several methods but it never worked and 1.3 was still used. And, even on imap servers supporting only TLSv1.2, the decryption was sometimes not done.

Looking again I found this: https://github.com/scrapy/scrapy/issues/4368 which reference a git repo https://git.lekensteyn.nl/peter/wireshark-notes and describes building a libsslkeylog.so. It mostly talks about running programs like curl or "scrapy" from a script which isn't really what I need. But it references this which gives a lot more details: Extracting openssl pre-master secret from apache2. Of course, instead of apache, the target is php-fpm. Using this method the correct keys are written to the premaster.txt file (pointed to by env var SSLKEYLOGFILE) and, when set in wireshark, enables complete decoding of the TLS versions including 1.3.

@smitgd commented on GitHub (Feb 14, 2022): I did get the method above to sort-of work but it only seemed to work for TLSv1.2 and not 1.3. I don't know if I'm missing something but it appeared that the required package php-fpm was actually not being used by default. To get it to be used I did as described here: [video link](https://www.youtube.com/watch?v=Z1nFb4kvuJk). Then on restart of apache2 the keys were written to the file after I run this: ```sudo SSLKEYLOGFILE=<path-to>/premaster.txt gdb -batch -ex skl-batch -p `pidof php-fpm7.4` ``` Since this uses breakpoints on the source code and was determined before TLSv1.3 was in use, it doesn't output the correct stuff unless TLSv1.2 or earlier is in use. I tried to force the usage of no higher than 1.2 by several methods but it never worked and 1.3 was still used. And, even on imap servers supporting only TLSv1.2, the decryption was sometimes not done. Looking again I found this: https://github.com/scrapy/scrapy/issues/4368 which reference a git repo https://git.lekensteyn.nl/peter/wireshark-notes and describes building a libsslkeylog.so. It mostly talks about running programs like curl or "scrapy" from a script which isn't really what I need. But it references this which gives a lot more details: [Extracting openssl pre-master secret from apache2](https://security.stackexchange.com/questions/215358/extracting-openssl-pre-master-secret-from-apache2/215397#215397). Of course, instead of apache, the target is php-fpm. Using this method the correct keys are written to the premaster.txt file (pointed to by env var SSLKEYLOGFILE) and, when set in wireshark, enables complete decoding of the TLS versions including 1.3.

kerem commented

2026-02-25 21:34:56 +03:00

Author

Owner

@smitgd commented on GitHub (Feb 23, 2022):

Cypht/Cyrus works OK with unencrypted http with JMAP so actually I didn't need to decode the TLS. (The JMAP RFC says it MUST be sent with TLS/https.)

@smitgd commented on GitHub (Feb 23, 2022): Cypht/Cyrus works OK with unencrypted http with JMAP so actually I didn't need to decode the TLS. (The JMAP RFC says it MUST be sent with TLS/https.)