Join MDN and developers like you at Mozilla's View Source conference, 12-14 September in Berlin, Germany. Learn more at https://viewsourceconf.org

Starting with NSS 3.24 (around Firefox 48), the SSLKEYLOGFILE approach is disabled by default. Distributors can re-enable it at compile time though which is done for the official Firefox binaries. (See bug 1188657.)

Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find the key file via Edit→Preferences→Protocols→SSL→(Pre)-Master-Secret log filename.

Key logging is enabled by setting the environment variable SSLKEYLOGFILE <FILE> to point to a file. This file is a series of lines. Comment lines begin with a sharp character ('#'). Otherwise the line takes one of these formats.

RSA <space> <16 bytes of hex encoded encrypted pre master secret> <space> <96 bytes of hex encoded pre master secret>

CLIENT_RANDOM <space> <64 bytes of hex encoded client_random> <space> <96 bytes of hex encoded master secret>

The RSA form allows ciphersuites using RSA key-agreement to be logged and is supported in shipping versions of Wireshark. The CLIENT_RANDOM format allows other key-agreement algorithms to be logged but is only supported starting with Wireshark 1.8.0. For Wireshark usage, see SSL - Wireshark Wiki.

Document Tags and Contributors

 Last updated by: Lekensteyn,