MitM TLS encrypted traffic in macOS using SSLKEYLOGFILE

README.md

Option 1: Via macOS environment variable:

1. mkdir -p ~/Library/LaunchAgents
2. Put tlskeylogger.plist at ~/Library/LaunchAgents/tlskeylogger.plist
3. launchctl load ~/Library/LaunchAgents/tlskeylogger.plist, so it will load on the next restart
4. launchctl start ~/Library/LaunchAgents/tlskeylogger.plist, so it will load the environment variable immediately
5. Restart your browser(s)
6. See how TLS keys are being written to ~/.tlskeyfile via tail -f ~/.tlskeyfile

NB: This may be hit or miss and many apps do not respect the env var.

Option 2 (recommended): Via mitmproxy:

Install xbar (the bitbar successor), use this plugin to toggle the macOS proxy settings for 8080, which is used by Burp and mitmproxy

SSLKEYLOGFILE=~/.tlskeyfile mitmproxy

The certificate for mitmproxy will be generated on install and can be retrieved from http://mitm.it when everything is up and running.

If you are trying to intercept a process running as root, you MUST trust the cert as root

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "path/to/mitmproxy-ca-cert.pem"

tlskeylogger.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>sslkeylogger</string>
  <key>ProgramArguments</key>
  <array>
    <string>sh</string>
    <string>-c</string>
    <string>
    launchctl setenv SSLKEYLOGFILE ~/.tlskeyfile
    </string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>