FAQ

How can I use Wireshark to decrypt SSL traffic terminated on the ProxySG?

FAQ ID:    FAQ936
Version:    3.0
Status:    Published
Published date:    08/02/2010
Updated:    11/24/2010
 

Answer

Decrypting SSL Traffic for Easy Viewing Using Wireshark

You would like to troubleshoot SSL issues (HTTPS traffic).

Support requests a packet capture of SSL traffic that terminates on the ProxySG (reverse proxy) / on a controlled SSL server.

Please note that this FAQ applies only to reverse proxy scenarios. In forward proxy, the proxy generates individual client keys which are not extractable.

Common example scenario:

An SSL reverse proxy is deployed, and at some stage in the troubleshooting process, a packet capture of the HTTPS traffic is required to view traffic flowing between the client and ProxySG or between the OCS and ProxySG.

In a reverse proxy scenario, the appropriate certificate and keys must be imported into the ProxySG in order to allow it to properly terminate SSL connections. Since the key is known to the ProxySG, it is possible to extract this key and use it in Wireshark to decrypt the SSL traffic for easier troubleshooting.

Note: You will be dealing with plaintext private keys. Please be very careful and delete these after use. If these plaintext keys get lost, change the certificates and keys on the ProxySG to avoid a security/integrity compromise. Sometimes handing these keys to Support may be required; in this case, place the keys in a password-protected ZIP file which you disclose only to Blue Coat Support personnel. Alternatively, please refer to FAQ944 for a method whereby disclosure of private keys is not necessary.

Extracting the Private Key from the ProxySG

In this example, we will extract the self-signed key from the ProxySG. If another certificate is used, substitute the appropriate entries.

1. Enter the ProxySG management console via CLI (ssh / console cable).

2. Enter enable mode (en).

3. (optional) Enter show ssl keyring to view a list of configured keyrings. Make a note of the keyring ID being used in the reverse proxy. (This can also be checked from the GUI under Proxy Services.)

4.       Enter the command show ssl keypair unencrypted selfsigned. Substitute the “selfsigned” keyword for your own keyring ID. The ProxySG will output the key in the form:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

5.       5. Copy and paste the key (including the BEGIN RSA and END RSA lines) in notepad and store in a safe place as a .pem file.

Capturing and Viewing the Traffic in Wireshark

1.     Capture the traffic of interest. In this example, the capture was done from the client accessing the site through the reverse proxy. In the screenshot below, note how all the traffic is encrypted, and Wireshark displays this as plain “TCP.”

2.       Select Edit > Preferences. Expand the Protocols option and find the SSL entry. Under RSA keys list type the following string: 10.91.25.10,443,http,C:\bc_self_private_key.pem where 10.91.25.10 is the IP address of the ProxySG as seen from the client, 443 is the port the client is using on the proxy, HTTP is the protocol you would like Wireshark to decrypt to, and the C:\bc_self_private_key.pem is the extracted proxy private key.

3.       Apply the above and you will note the traffic is now decrypted, as shown in the following screenshot (green packets):

The above can be applied to any encrypted stream as long as you have access to the private keys the server is using. Several guides exist on the Internet, for example the following link shows how to do the above for an IIS server. (Note: This is a third party link with no affiliation to Blue Coat. This is just an example of what can be found.)

http://htluo.blogspot.com/2009/01/decrypt-https-traffic-with-wireshark.html


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question