This repository is a fork of quic-go/masque-go with modifications to support full traffic decryption and analysis, specifically for the initial CONNECT packets on the loopback interface.
Previously, the TLS key export mechanism only allowed decryption of the flow between the Proxy (127.0.0.1:4443) and the Destination Server. However, to decrypt and analyze the initial CONNECT packet, we need to decrypt the traffic on the loopback interface (Client 127.0.0.1 to 127.0.0.1), which was missing.
-
Dual Key Logging: Modified
client/main.goto log TLS keys for both flows (Client$\leftrightarrow$ Proxy and Proxy$\leftrightarrow$ Target) into a singleSSLKEYLOGFILE. This enables full decryption of the handshake and the CONNECT packet in Wireshark. -
Insecure Mode: Added an
-insecureflag to bypass certificate verification. This resolves issues where self-signed certificates fail to validate in my computer environment.
The implementation steps remain the same as in the previous version
git clone https://github.com/tungns1207/masque-go.gitNote: If you encounter a "certificate not valid" error, you can regenerate the certificates using the following command:
openssl req -x509 -nodes -days 10950 -newkey rsa:2048 \
-keyout certs/server.key \
-out certs/server.crt \
-config certs/san.cnf \
-extensions v3_reqsudo -E go build -o /usr/local/bin/masque-client ./cmd/client && sudo -E go build -o /usr/local/bin/masque-proxy ./cmd/proxySet the certificate file and the key log location. This is required for Wireshark to decrypt the traffic.
export SSL_CERT_FILE=certs/server.crt
export SSLKEYLOGFILE=certs/keys.logRun the proxy on port 4443:
masque-proxy -b :4443 -c certs/server.crt -k certs/server.key -t "https://127.0.0.1:4443/masque?h={target_host}&p={target_port}"Run the client. Use the -insecure flag to skip certificate verification if using self-signed certs:
masque-client -insecure -t "https://127.0.0.1:4443/masque?h={target_host}&p={target_port}" https://cloudflare-quic.com:443