As you may know, HTTP/2.0, as implemented by most browsers, only runs over TLS (which is a good thing). Unfortunately, it makes debugging the protocol a bit harder, since protocol analyzers can’t look inside the TLS layer anymore. And while the in-browser debugging tools have become very good, I find myself in need of a Wireshark session to figure things out: In particular: which resources were pushed by the server?

So I found myself Men-In-The-Middle-ing myself with ZAP regularly. Today I learned that I can simply ask my browser to tell me the missing pieces: the master secret and the client random value (used to look up the correct master secret from the raw packet), or, if you are still not using PFS, part of the encrypted pre-master secret (for look-up), and the full (plaintext) pre-master secret.

Just set the SSLKEYLOGFILE environment-variable to the path of a writable text file (appended to). Works in both Chrome and Firefox! And make sure you unset the environment for safe surfing afterwards!

Wireshark can be configured to read in this file in the Preferences → Protocols → SSL → (Pre)-Master-Secret log filename.