FreeBSD, Firefox, NSS, SSLKEYLOGFILE

tldr: If you got here because you have trouble finding out how the heck to tell firefox on FreeBSD to honor SSLKEYLOGFILE you might be glad you found this. If you don't have this problem or do not know what I am talking about you might save yourself the time.

Tracing TLS encrypted traffic from the browser

When putting computers on the net they need to be secured.

When securing computers you need to know what they are doing on the network.

When you want to know what computers do on the network you look at the traffic, the packets coming and going.

When you look an the traffic you come to a point where you can't read it, because it is encrypted.

The traffic being encrypted is a good thing, except when you are the one who should know what is going on on the network.

If you google wireshark TLS, you will soon find out that you 'just' have to set an environment variable SSLKEYLOGFILE and chrome and firefox will save a copy of the keys they use, so you can decrypt the traffic they take part in.

If you do this on FreeBSD it works for chrome but not for firefox.

All the info is on the web, but hard to put together

If you search for the solution you will find this NSS link, which tells us that you need to set the make variable NSS_ALLOW_SSLKEYLOGFILE=1.

Now here are the things that might be clear to you, but I wasted a few hours on:

  • This needs to be set on NSS, not on firefox.
  • On FreeBSD NSS is a seperate port from firefox.
  • So cd /usr/ports/security/nss.
  • The Makefile here contains a variable MAKE_ENV.
  • Add the line NSS_ALLOW_SSLKEYLOGFILE=1 to it.
  • Now sudo make install which takes less than a minute.

At least on my machine SSLKEYLOGFILE is now honored by firefox.

Conclusion

The discussions whether this should be enabled or disabled by default have two main arguments pro and contra:

  • This should be disabled by default for security reasons, only a few people use it and attackers could use it as well.
  • The people who want this feature can not be expected to build firefox from source.

So the FreeBSD solution is actually very elegant: It is disabled by default and firefox does not need to be built from source to enable it either. All you need to build from source is NSS, which builds in a minute as opposed to firefox which needs a few hours, and the port system makes this easy as everything is already prepared for you.

You just have to know about it ;-)