[josephcsible]

But don't the keys to decrypt the stream have to remain in memory for at least as long as the stream itself is active? Or is the issue that the connection completes too quickly, so that that doesn't give you enough time?

[fl_ciq]

The application keys definitely do. The handshake keys are modified and at some point become useless to tshark. Not sure if it is a defensive coding thing, or what, but yeah if we don't catch it at the exact right moment they don't work.

[josephcsible]

Okay, that makes sense. What do you need the handshake keys for, though? Aren't the application keys enough to decrypt all of the data that you need to?

[fl_ciq]

I think it's related to perfect forward secrecy. We used curl's SSLKEYLOGFILE environment variable to find out what tshark needed and then worked to reproduce what curl was producing.