SSLKEYLOGFILE environment variable doesn't populate any text file

Verified in both Chrome and Firefox
Windows 10 64bit [Version 10.0.17763.379]

I would not use the --ssl-key-log-file flag with Chrome. In my testing, it does not have an effect.

Steps to get SSL keylog file

1. Change your directory to one that you or your programs have access to. I am using the Desktop folder.

   C:\> cd $HOME\Desktop

2. Set the SSLKEYLOGFILE variable. This sets it for the user (HKCU). To set it for the machine (HKLM), add the /m flag to the end of the command.

   PS C:\Users\rj\Desktop> SetX SSLKEYLOGFILE "$(get-location)\ssl.log"

3. Verify that the variable has been set in a separate powershell window (SetX does not apply to the current window).

   PS C:\Users\rj\Desktop> Get-ChildItem ENV: | findstr SSLKEYLOGFILESSLKEYLOGFILE                  C:\Users\rj\Desktop\ssl.log

   You can also verify that SSLKEYLOGFILE is a user variable by going to the Control Panel > System and Security > System > Advanced System Settings > Advanced tab > Environment Variables > User Variables. You should see a listing like the powershell example where the value is a directory.

4. Open Chrome/Firefox and go to an https website like https://stackoverflow.com.

5. You should see an ssl.log show up on your desktop.

Image of end result

Further Reading

• 2018-12-07, F5, Decrypting SSL traffic: Great article on doing the above, but cross-platform
• 2019-03-18, Mozilla, NSS Key Log Format: The SSLKEYLOGFILE format
• 2018-08-17, Wireshark Bugzilla, Add TLS 1.3 support: Has good test pcap/SSLKEYLOGFILE contents for TLS1.3 (See Comment 83)

You mentioned that you are using Wireshark. If you using it to export a file from a TLS-encrypted stream in a capture, this article may help you.

One thing I ran into is: Chrome doesn't always fully close when you close the window. Sometimes it stays open in the background. Use the Windows Process Explorer to list all the processes and make cure Chrome is closed. Also, after restarting Chrome, you can double click on it in Process Explorer and select the Environment tab to list all the variables set in it's environment. Make sure SSLKEYLOGFILE is shown in that list. Then Chrome will be sending keys to the specified file.

First off all the problem is that the browsers are protected better and that flaw is patched, thats why you cant capture no ssl. I dont know the details. But chrome with --no-sandbox(linux) option on ,when running will enable you to capture ssl/tls key without any issues from the first try, so you can play with decription of packets. Never tried on windows btw..