How to decrypt SSL traffic of Qt programs in Wireshark

If you are debugging an application that uses the network, you have probably already used the very helpful Wireshark tool to inspect network traffic from and to the servers you make requests to. However, more and more servers switch to using SSL all the way on their APIs (e.g. Facebook and Twitter) for security reasons, e.g. to preventing sniffing of login cookies or OAuth access tokens. This is of course good for security, but has the nasty side-effect of making it hard to analyze HTTP requests and replies when debugging. Luckily, when feeding the SSL connection parameters to Wireshark, it will conveniently display the decrypted HTTP (and other) network packets.

If you are using Qt to make your network requests, you can now decrypt SSL traffic; the patch was merged to the Qt5 (Gerrit commit) and Qt4 (Gerrit commit) code lines and will be available in the upcoming 5.1.0 and 4.8.5 releases. You will also need a recent version of Wireshark for decrypting packets; this has been tested with the current stable (1.8.6) and development (1.9.2) of Wireshark.

Note: In particular, the Wireshark version of your favorite Linux distribution might not be recent enough as of this writing.

Here is what you need to do to enable decryption of network packets coming from Qt:


  • uncomment the line in src/network/ssl/qsslsocket_openssl.cpp which says "//#define QT_DECRYPT_SSL_TRAFFIC"; i.e. apply the followin patch:


diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp

index 2b9c4b5..03c2f3b 100644

--- a/src/network/ssl/qsslsocket_openssl.cpp

+++ b/src/network/ssl/qsslsocket_openssl.cpp

@@ -55,7 +55,7 @@ ****************************************************************************/

//#define QSSLSOCKET_DEBUG

-//#define QT_DECRYPT_SSL_TRAFFIC

+#define QT_DECRYPT_SSL_TRAFFIC

#include "qsslsocket_openssl_p.h"

#include "qsslsocket_openssl_symbols_p.h"

  • recompile QtNetwork:

cd src/network && make

This will store SSL connection parameters in a file /tmp/qt-ssl-keys (on most Unix'es; on Windows this will be different) when a SSL handshake is made.

  • let Wireshark know the location of that file by selecting "Edit -> Preferences... -> Protocols -> SSL -> (Pre-)Master-Secret log filename:" and enter "/tmp/qt-ssl-keys".

  • make and sniff your requests as usual via Wireshark and/or tcpdump. Now Wireshark will display the packets in clear text:


  • When using Qt in production environment, bee sure to comment the above line in qsslsocket_openssl.cpp again and recompile QtNetwork.

Side note: If you are developing a BlackBerry 10 app and have a developer device (i.e. if you have SSH access and can run tcpdump), then you should also be able to make this work by sniffing traffic via tcpdump and then copying over the tcpdump file and the SSL keys file to your desktop machine. Just note that the "qt-ssl-keys" file will end up inside your app directory rather than in a global temporary directory.


Tags:

Featured Posts
Recent Posts
RSS Feed

© 2015 by Peter Hartmann  -  Legal notice

  • LinkedIn Basic Black
  • Twitter Basic Black