how to debug an ssl connection?
Solution 1
See this: Debugging SSL communications.
I know theoretically it can be done - you can setup a proxy that communicates with the target web-service, point your application to connect via this proxy. Its a known limitation - Https assumes you trust all proxy and certificates installed on your machine. Its a form of Man-in-the-middle attack.
See if Fiddler would be of some use.
In a man-in-the-middle attack, the attacker intercepts user traffic to capture credentials and other relevant information. The attacker then uses this information to access the actual destination network. During the process, the attacker typically serves as a proxy/gateway that presents a false SSL VPN site to the user; this proxy/gateway passes whatever authentication the user enters on to the real destination site.
Solution 2
do you have python installed?
pip install mitmproxy
mitmproxy -p 1234
even a video for you
(by the way, i had to apt-get install python-lxml on debian squeeze after an apt-get update)
Solution 3
Burp Suite (even Free Edition) allows you to set a SSL "proxy", it will present a different certificate to your application and it will decrypt (and display) the traffic for you. And if you want to test with the server in localhost too it allow you to set the proxy too (something I have been unable to do with Wireshark in Windows, and Fiddler).
Comments
-
Hayri Uğur Koltuk almost 2 years
I have a client application that connects to a web service over https. I need to "sniff" all the network traffic between web service and my client to check if everything is okay, i.e, i have to debug the connection.
I have tried Wireshark but since I do not have server private key, data shown on wireshark screen is, of course, encrypted.
Is there a way to observe ssl network traffic between my client and web service when I do not have access to server itself and therefore private keys and other related stuff?
Thanks in advance.
-
Bruno almost 13 yearsAn HTTP proxy will not be able to let you see the HTTPS traffic it's used for: it relays everything to the target server directly. (You can see the address and port of the server, though.)
-
YetAnotherUser almost 13 years@Bruno, a regular HTTP proxy won't but you can have a proxy that does that. There are corporate monitoring tools that just do that. It relies on adding a reliable certificate on your machine and proxy cloaking all communication with HTTPS server.
-
Bruno almost 13 yearsno, you don't have to trust the HTTP proxy for the HTTPS connection to be secure, only the CA certificates on your machine. An HTTP proxy does not intercept or alter an HTTPS connection, it barely forwards it, entire SSL/TLS exchange included (see HTTP
CONNECT
method). -
Bruno almost 13 yearsSorry, I hadn't seen your response in my previous comment. Yes, there are specific types of proxy servers that will do that, provided the client machines have their CA certificate stores configured to accept the official MITM indeed.
-
EricLaw almost 13 yearsThis is exactly what Fiddler does.
-
Stan Quinn over 7 yearsI used to use Web Scarab for this..it's part of the OWASP project. owasp.org/index.php/Category:OWASP_WebScarab_Project