On Sat, Jun 29, 2024 at 4:13 PM Lee <ler...@gmail.com> wrote: > > [...] Debian firefox does NOT allow one to do > TLS intercept - ie. this does not work: > C:\UTIL>cat firefox-tlsdecode.bat > set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt > start C:\"Program Files\Firefox\Firefox.exe" > > @rem wireshark: > @rem edit / preferences > @rem protocols / tls (v2.6: protocols / ssl) > @rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log > filename (was SSL debug file entry)
I'm not sure who your complaint is against -- Debian, Firefox or Linux. I'm also not sure that it is a valid complaint. Firefox uses its own certificate store. If you want to proxy your traffic, then the proxy's root cert needs to be in Mozilla's certificate store. See <https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox>. Chrome is different. Chrome uses the Windows store by default, but also has its own certificate store. For Chrome, your Windows admin can make a change with a Group Policy, and Chrome will pick it up through the Windows certificate store. Or you can manually install the proxy's root cert. See <https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md>. Debian is not concerned about TLS interception in this case. But for completeness, Debian has its own store at /etc/ssl/certs. You get the certificates by installing the ca-certificates package. You can install certificates into the store by dropping the root cert on the filesystem at /usr/local/share/ca-certificates, and then running update-ca-certificates. See <https://wiki.debian.org/Firefox/PrivateCertificateAuthority> and <https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>. When you are intercepting/inspecting traffic, you typically setup your proxy, and then proxy Firefox and Chrome traffic through your proxy. The proxy can run on your local machine, like 127.0.0.1. Your proxy's root certificate should be in the browser's store (as described above). Jeff