Solution |
- Go to This PC, 'right click' on an empty space then select Properties.
- Select 'Advanced system settings'.
- Select 'Environment Variables'.
-
Select New, then type 'SSLKEYLOGFILE' for the Variable Name field. For the Variable Value, first create a file in any location and name it in any preferred way. For example, ‘sslkeysENV.pms’. In this example, the location selected is ‘C:\Users\Administrator\Desktop\’.
If the file does not already exist, it will be created automatically when it is required.
Next, in the ‘Edit User Variable’ dialog box, select 'Browse File' and select the file ‘sslkeysENV.pms’ as shown in the screenshot below:
- Select 'OK' until all recent window prompts have been closed.
- Start the capture. Do this directly using Wireshark on the client or start it from FortiGate and enable filters under GUI -> Network -> Packet Capture.
Note: Always perform captures on the interface closest to the client. When proxy features are used on the FortiGate, the keys used between the client and FortiGate and between FortiGate and the server will be different.
Note 2: Make sure to restart the browser before any captures are started. The file should now contain different SECRET hexadecimal strings.
- Generate TLS/SSL traffic by visiting any website, then download the capture and open it in Wireshark. It is recommended to use the Google Chrome browser for this but any browser or application with support for the SSLKEYLOGFILE variable is supported. This includes current versions of Chrome, Firefox, and Edge browsers, as well as many 3rd party applications.
- Download the capture from FortiGate if needed. After opening the capture on Wireshark, go to Edit -> Preferences.
- Under 'Protocols', check and then select 'TLS' (Transport Layer Security).
- Under '(Pre)-Master-Secret log filename', select 'Browse' then choose the TLS key file. After, select 'OK'.
At this stage, the decryption of TLS/SSL will have completed successfully.
If issues occur, open a case with the TAC team for further assistance.
When providing files to Fortinet TAC, provide both the keyfile and the requested capture. Keep in mind that all of the captured traffic in the pcap may be decrypted.
- Remember to remove the environmental variable after troubleshooting for security reasons.
|