how to debug an ssl connection?

web-services debugging ssl https sniffing
22,375

Solution 1

See this: Debugging SSL communications.

I know theoretically it can be done - you can setup a proxy that communicates with the target web-service, point your application to connect via this proxy. Its a known limitation - Https assumes you trust all proxy and certificates installed on your machine. Its a form of Man-in-the-middle attack.

See if Fiddler would be of some use.

Man-in-the-middle attacks

In a man-in-the-middle attack, the attacker intercepts user traffic to capture credentials and other relevant information. The attacker then uses this information to access the actual destination network. During the process, the attacker typically serves as a proxy/gateway that presents a false SSL VPN site to the user; this proxy/gateway passes whatever authentication the user enters on to the real destination site.

Solution 2

do you have python installed?

pip install mitmproxy

mitmproxy -p 1234

even a video for you

(by the way, i had to apt-get install python-lxml on debian squeeze after an apt-get update)

Solution 3

Burp Suite (even Free Edition) allows you to set a SSL "proxy", it will present a different certificate to your application and it will decrypt (and display) the traffic for you. And if you want to test with the server in localhost too it allow you to set the proxy too (something I have been unable to do with Wireshark in Windows, and Fiddler).

Share:
22,375
Hayri Uğur Koltuk
Author by

Hayri Uğur Koltuk

software engineer

Updated on July 21, 2022

Comments

  • Hayri Uğur Koltuk
    Hayri Uğur Koltuk almost 2 years

    I have a client application that connects to a web service over https. I need to "sniff" all the network traffic between web service and my client to check if everything is okay, i.e, i have to debug the connection.

    I have tried Wireshark but since I do not have server private key, data shown on wireshark screen is, of course, encrypted.

    Is there a way to observe ssl network traffic between my client and web service when I do not have access to server itself and therefore private keys and other related stuff?

    Thanks in advance.

  • Bruno
    Bruno almost 13 years
    An HTTP proxy will not be able to let you see the HTTPS traffic it's used for: it relays everything to the target server directly. (You can see the address and port of the server, though.)
  • YetAnotherUser
    YetAnotherUser almost 13 years
    @Bruno, a regular HTTP proxy won't but you can have a proxy that does that. There are corporate monitoring tools that just do that. It relies on adding a reliable certificate on your machine and proxy cloaking all communication with HTTPS server.
  • Bruno
    Bruno almost 13 years
    no, you don't have to trust the HTTP proxy for the HTTPS connection to be secure, only the CA certificates on your machine. An HTTP proxy does not intercept or alter an HTTPS connection, it barely forwards it, entire SSL/TLS exchange included (see HTTP CONNECT method).
  • Bruno
    Bruno almost 13 years
    Sorry, I hadn't seen your response in my previous comment. Yes, there are specific types of proxy servers that will do that, provided the client machines have their CA certificate stores configured to accept the official MITM indeed.
  • EricLaw
    EricLaw almost 13 years
    This is exactly what Fiddler does.
  • Stan Quinn
    Stan Quinn over 7 years
    I used to use Web Scarab for this..it's part of the OWASP project. owasp.org/index.php/Category:OWASP_WebScarab_Project

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to test https rest webservice in postman
Tibco SOAP request over https - SSL certificate verification problem
JAVA - SSL - Client Certifcates
https URL hostname not matching Common Name (CN) despite setting 'disableCNCheck' to true
javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
Are there any HTTP/HTTPS interception tools like Fiddler for mac OS X?
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
IIS HTTP to HTTPS relative redirect
iOS HTTPS requests 101
Get rid of SSL verification in Cordova in app browser