Cant Export TLS keys using SSLKEYLOGFILE with Total Security Installed

[PCrossley]

For network analysts it is common practice to export TLS keys from applications.

This is in accordance with RFCs and is achieved by setting an environment variable SSLKEYLOGFILE.

 

I have recently discovered that with Kaspersky Total Security installed my keys are no longer properly exported..

Pausing protection doesn’t solve the issue, I had to exit the product.

Does anyone know of a setting that can be changed that will allow me to keep my Total Internet Security package running but still export TLS keys.

 

Thanks for your help

[PCrossley]

The problem is cured by using  Settings→ Network Settings→ Do not scan encrypted connections.

However this obviously decreases security.

[Flood and Flood's wife]

Hello @PCrossley, 

Welcome!

Thank you for the extra information! 

We were just discussing this, log a case with Kaspersky support, either via Chat or Email, select Application malfunction, Other template. Support may request logs, traces & other data, they will guide you. . 

• If selecting Chat option, we recommend you request a copy of the chat transcript, make sure you fill in your email address AFTER the chat is activated by the Chat agent & complete the Verify your email address email AFTER the chat completes.
• When it’s available, please share the outcome with the Community? 

Thank you🙏

Flood🐳+🐋

[PCrossley]

Thanks Flood

I have already reported it.

I suspect that the use of the TLS key export feature is so rare that it is unlikely to get much priority.

However I’ve suggested they provide a command line function that will pass the value of SSLKEYLOGFILE to the proxy they use to scan encrypted connections so that it can populate the file itself.

I only need the function occasionally so for now  I can live with turning encrypted session scanning off and on when I need to, but I suspect others might look for a different product.

 

Paul

[Flood and Flood's wife]

1. I have already reported it.
2. I suspect that the use of the TLS key export feature is so rare that it is unlikely to get much priority.

 Hello @PCrossley, Paul,

You’re most welcome!

1. Bravo👍  It sounds like a good solution👏
2. You may be right, however, occasionally, the developers have surprised even those of us who’ve grown mouldy & jaded waiting for changes; not wishing to give false hope, but, let’s wait & see; sometimes, such a change may have benefits for other “problems”. 

• Not sure how they’ve managed the INC# you’ve submitted, if it’s classified as a Suggestion, they’ll eventually (soon) close the INC, telling you to “keep a eye out”, i.e., no-one tells you if the change has been processed; that’s unfortunate for users, should you need or wish to make a query about the issue in the future, you’ll be required to raise a new INC# → IF the proposed change takes 2 or more years & you make an enquiry per year…. you get the drift😥

Obviously, if you get a result, please share it with the Community please? 

Thank you🙏

Flood🐳+🐋