| Description | This article describes how to decrypt SSL/TLS traffic using a Windows machine. |
| Scope |
All FortiGate models and FortiOS firmware versions. Tested on Windows Server 2016 and Windows 11 Pro. |
| Solution |
1) Go to This PC, 'right click' on an empty space then select Properties.
2) Select 'Advanced system settings'.
3) Select 'Environment Variables'.
4) Select New, then type 'SSLKEYLOGFILE' for the Variable Name field. Next, in the ‘Edit User Variable’ dialog box, select 'Browse File' and select the file ‘sslkeysENV.pms’ as shown in the screenshot below:
5) Select 'OK' until all recent window prompts have been closed.
6) Start capture and enable filters under GUI -> Network -> Packet Capture.
 7) Generate TLS/SSL traffic by visiting any website, then download the capture and open it in Wireshark. It is recommended to use the Google Chrome browser for this.
8) After opening the capture on Wireshark, go to Edit -> Preferences.
 9) Under 'Protocols', check and then select 'TLS' (Transport Layer Security).
 10) Under '(Pre)-Master-Secret log filename', select 'Browse' then choose the TLS key file. After, select 'OK'.
At this stage, the decryption of TLS/SSL will have completed successfully.
If issues occur, open a case with the TAC team for further assistance. |
