Wireshark-users: [Wireshark-users] HTTP/2 decrytion with sslkeylog
From: Muhui Jiang <jiangmuhui@xxxxxxxxx>
Date: Sat, 14 Jan 2017 00:20:04 +0800
Hi

I hope this should be the right way to ask the related question.

These days, I tried to use the wireshark to decrypt the SSL data and analysis the HTTP/2 traffic. I tried win64-1.99.2. win64-1.12.6,win 64-2.2.3. I also tried the same version on ubuntu 14.04 and MacOS. I followed the steps below to try to decrypt the traffic

1. add the SSLKEYLOGFILE and the corresponding path to the environment variable
2.I set the SSL of  preference  in wireshark and set the corresponding path in the (Pre)-Master-Secret log filename.
3.Then I restart the browser(firefox and chrome) and the wireshark to capture the corresponding packets

The results I observe:
Sometimes, the ssllogkey file is empty, I think this might be the reason of chrome or firefox, after waiting for sometime, there is the session key inside the ssllogkey file
Sometimes,when there is content inside the ssllogkey file and I can still not decrypt the frames completely. I can only see the content of some js or css file. But I cannot see the specific frames type of http2 like push promise, settings, data etc.

I tried to solve this problem for three whole days but failed. And my target website includes google, twitter some public sites and some sites I set in the testbed. But I can not get a satisfied result. I searched and visited many sites introducing the way to decrypting the ssl traffic but I failed at last. I also tried the way to set the private key in wireshark and do the test on my testbed, still no results. 

I really need you guys help if any of you ever used wireshark to decrypt the HTTP/2 traffic completely, could you please tell me your platform, your wireshark version, your browser version, your test site or your testbed server version(better with configuration if available) and the cipher suite. I want to repeat your test. I am completely confused and don't trust myself, I don't know which step is wrong or I just miss some important thing.

If you need more information of my test, please let me know and I can provide more information and the pcap files. Many Thanks and really need your help.

Regards
Muhui