Good day,
I'm trying to use the SSLKEYLOGFILE mechanism of Chrome/Chromium in order to inspect some WebRTC DTLS packets with Wireshark. In theory these are SCTP messages, but that's exactly what I want to check and verify by decrypting and inspecting them.
I followed
Using the (Pre)-Master-Secret. However, it doesn't work for WebRTC DTLS, and I'm having a very hard time finding online discussion specifically about this use case.
To my untrained eye, the problem seems to be that Chromium is not printing the appropriate identifiers in its own TLS keylog, so Wireshark obviously cannot find them to decrypt the packets. Is that the case, or I am missing some configuration, maybe?
I made a capture with Wireshark, containing 2 Client Hellos, and none of the
random values can be found among all the
CLIENT_HANDSHAKE_TRAFFIC_SECRET and
CLIENT_TRAFFIC_SECRET_0 entries of the keylog file.
This is what I'm running:
- Ubuntu 22.04
- Chromium 125.0.6422.112 (Official Build) snap (64-bit)
- Wireshark 4.2.5
And the order of execution is as follows:
1. Open Chromium. I use this command for development:
export SSLKEYLOGFILE="/path/to/keylog.txt"
/usr/bin/chromium-browser \
--user-data-dir='/tmp/chromium-profile' \
--guest \
--no-default-browser-check \
--auto-accept-camera-and-microphone-capture \
--use-fake-device-for-media-stream \
--enable-logging=stderr \
--log-level=0 \
--v=0 \
--vmodule='*/webrtc/*=2,*/media/*=2,tls*=1' \
http://localhost:4200/2. Start Wireshark capture on device lo (this all runs on a local dev machine).
3. Start a send-only publication from my page (it's just a WebRTC app with a "Start" button) to a local WebRTC server.
4. Stop the publication, and stop the Wireshark capture.
5. Close Chromium.
The result of these actions is that a DTLSv1.2 connection is established between the client (Chromium) and the server (mediasoup), immediately followed by multiple
encrypted "Application Data" packets.
The Wireshark "DTLS debug" file was configured but it is empty. The "TLS Debug" file was also configured and it contains all the relevant info from Wireshark, including things like "
ssl_restore_master_key can't find master secret by Client Random" and "
Cannot find master secret". I can provide it if it is of any help.
Would this use case expected to be working? Anyone able to help?