Login/Register
how to debug an ssl connection?
Asked Answered
Solved web-servicesdebuggingsslhttpssniffing
D

4

14

I have a client application that connects to a web service over https. I need to "sniff" all the network traffic between web service and my client to check if everything is okay, i.e, i have to debug the connection.

I have tried Wireshark but since I do not have server private key, data shown on wireshark screen is, of course, encrypted.

Is there a way to observe ssl network traffic between my client and web service when I do not have access to server itself and therefore private keys and other related stuff?

Thanks in advance.

Damiendamietta answered 14/6, 2011 at 13:29 Comment(0)
P
5

See this: Debugging SSL communications.

I know theoretically it can be done - you can setup a proxy that communicates with the target web-service, point your application to connect via this proxy. Its a known limitation - Https assumes you trust all proxy and certificates installed on your machine. Its a form of Man-in-the-middle attack.

See if Fiddler would be of some use.

Man-in-the-middle attacks

In a man-in-the-middle attack, the attacker intercepts user traffic to capture credentials and other relevant information. The attacker then uses this information to access the actual destination network. During the process, the attacker typically serves as a proxy/gateway that presents a false SSL VPN site to the user; this proxy/gateway passes whatever authentication the user enters on to the real destination site.

Pointillism answered 14/6, 2011 at 13:37 Comment(6)
An HTTP proxy will not be able to let you see the HTTPS traffic it's used for: it relays everything to the target server directly. (You can see the address and port of the server, though.)Osteoclast
@Bruno, a regular HTTP proxy won't but you can have a proxy that does that. There are corporate monitoring tools that just do that. It relies on adding a reliable certificate on your machine and proxy cloaking all communication with HTTPS server.Pointillism
no, you don't have to trust the HTTP proxy for the HTTPS connection to be secure, only the CA certificates on your machine. An HTTP proxy does not intercept or alter an HTTPS connection, it barely forwards it, entire SSL/TLS exchange included (see HTTP CONNECT method).Osteoclast
Sorry, I hadn't seen your response in my previous comment. Yes, there are specific types of proxy servers that will do that, provided the client machines have their CA certificate stores configured to accept the official MITM indeed.Osteoclast
This is exactly what Fiddler does.Richelle
I used to use Web Scarab for this..it's part of the OWASP project. owasp.org/index.php/Category:OWASP_WebScarab_ProjectBeem
C
4

do you have python installed?

pip install mitmproxy

mitmproxy -p 1234

even a video for you

(by the way, i had to apt-get install python-lxml on debian squeeze after an apt-get update)

Cargo answered 19/5, 2012 at 7:40 Comment(0)
D
3

Burp Suite (even Free Edition) allows you to set a SSL "proxy", it will present a different certificate to your application and it will decrypt (and display) the traffic for you. And if you want to test with the server in localhost too it allow you to set the proxy too (something I have been unable to do with Wireshark in Windows, and Fiddler).

Deprecate answered 5/12, 2013 at 20:35 Comment(0)
O
0

If you don't have access to the server's private key, there isn't much you can do to see what's being protected by SSL/TLS. (You'll get to see the initial handshake at least.)

If you have entire control on the client, you could write a fake server that would have a private key and certificate that you control, and that would relay everything sent by the client to the actual server. For this, you'd need to make the client trust your own certificate, hence you need control of the client. It might be easier to tweak the corresponding hosts file on the client to perform the DNS spoofing too, to make connections to the right host name go to your fake server instead.

Osteoclast answered 14/6, 2011 at 14:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.