FreeBSD, Firefox, NSS, SSLKEYLOGFILE
tldr: If you got here because you have trouble finding out how the
heck to tell firefox on FreeBSD to honor
SSLKEYLOGFILE you might be
glad you found this. If you don't have this problem or do not know
what I am talking about you might save yourself the time.
Tracing TLS encrypted traffic from the browser
When putting computers on the net they need to be secured.
When securing computers you need to know what they are doing on the network.
When you want to know what computers do on the network you look at the traffic, the packets coming and going.
When you look an the traffic you come to a point where you can't read it, because it is encrypted.
The traffic being encrypted is a good thing, except when you are the one who should know what is going on on the network.
If you google
wireshark TLS, you will soon find out that you 'just' have
to set an environment variable
SSLKEYLOGFILE and chrome and firefox
will save a copy of the keys they use, so you can decrypt the traffic
they take part in.
If you do this on FreeBSD it works for
chrome but not
All the info is on the web, but hard to put together
If you search for the solution you will find this NSS link, which tells us
that you need to set the make variable
Now here are the things that might be clear to you, but I wasted a few hours on:
- This needs to be set on
NSS, not on
- On FreeBSD
NSSis a seperate port from
Makefilehere contains a variable
- Add the line
sudo make installwhich takes less than a minute.
At least on my machine
SSLKEYLOGFILE is now honored by firefox.
The discussions whether this should be enabled or disabled by default have two main arguments pro and contra:
- This should be disabled by default for security reasons, only a few people use it and attackers could use it as well.
- The people who want this feature can not be expected to build firefox from source.
So the FreeBSD solution is actually very elegant: It is disabled by
default and firefox does not need to be built from source to enable it
All you need to build from source is
NSS, which builds in a minute as
opposed to firefox which needs a few hours, and the port system makes
this easy as everything is already prepared for you.
You just have to know about it ;-)