On 30/06/2024 03:45, Jeffrey Walton wrote:
On Sat, Jun 29, 2024 at 4:13 PM Lee wrote:
[...] Debian firefox does NOT allow one to do
TLS intercept - ie. this does not work:
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
[...]
I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.
I do not mind to see a link stating that the appropriate logger is
really disabled. Certainly dumping of TLS session keys may be disabled
through a compile time flag similar to enforcing signatures for add-ons.
It may be default Firefox configuration for release builds or some line
in Debian build rules. It still might be some mistake during attempts to
enable the logger. I have read about this approach but I have never
tried it in action.
Firefox uses its own certificate store.
It is relevant to active traffic interception you described (a proxy).
Lee prefers passive traffic sniffing and it requires cooperation from a
peer to get session keys. Each case has its own advantages.
P.S.
At first it was not clear to me that having TLS private key (copied from
the server) is not enough for passive traffic decryption. Diffie-Hellman
key exchange scheme allows to generate secret keys even over public
channel. The main purpose of TLS certificates (public keys in the
browser or system store) is to confirm that there is no attacker in
between that blocks packets from the client and establishes its own
connection to the server. Encryption of email messages using a public
key is a different case. Session keys are required to debug TLS
applications.
