Technical Tip: Decrypt HTTPS traffic with Wireshark

Dhruvin_patel · ‎11-12-2023

Description

This article describes how to decrypt the HTTPS traffic on the client using Wireshark. While using virtual servers on FortiGate, it is sometimes necessary to decrypt the traffic on the client end to isolate the issue further.

Scope

Windows Client, FortiGate.

Solution

Ensure that the client has the necessary permissions to capture the traffic and have the Wireshark installed in the client's Windows machine to capture the traffic.
Capture the client side of the session key.
Close the Chrome completely, and make sure all the instances are closed. Verify from the task manager that all the instances are closed.
Go to System and Security -> System, select Advanced system settings, select Environment Variables, and create the new variable by selecting 'New'. Give the variable name and variable value:

Variable name: SSLKEYLOGFILE.
Variable value: %USERPROFILE%\Desktop\sslkey.log.

Start Wireshark, and start capturing the packet capture on the Internet interface.
Open Chrome and verify that the sslkey.log file has been created.

Open the website that would like to decrypt. In this example, it is tested with the website '123.net'.
Verify that the packets are being captured on Wireshark.

On Wireshark, go to Edit -> Preferences -> Protocols, select SSL. Under (Pre)-Master-Secret log filename, select the sslkey.log file from the PC where it has been stored and then, select 'OK'.

The decrypted packet is now observed in Wireshark.

The steps may change when Windows or Chrome gets updated.