OpenSSL c_client (CLI) prints the Master-Key during initial handshake. This can be clubbed with client random to decrypt packet capture in Wireshark. However, the random and master key changes after renegotiation and packet decryption stops working after this.
Is there a way to print the Master-Key after secure re-negotiation as well (from command line client)
Looks like this is not supported in s_client. However, the renegotiated keys can be printed by hijacking the SSL_read function in ssl/ssl_lib.c file of openssl library.
I added the following code to SSL_read().
int i;
printf("key is: ");
for(i=0;i<48;i++){
printf("%.2X",s->session->master_key[i]);
}
printf("\n");
Then I ran apps/openssl s_client with LD_LIBRARY_PATH=. to print the keys used for each read operation.
Note: re-negotiated key based decryption is not supported in older versions of Wireshark. I used Wireshark-win64-2.3.0-3548-gc30bb2c