LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-13-2012, 07:17 AM   #1
doron
LQ Newbie
 
Registered: Jan 2012
Posts: 5

Rep: Reputation: Disabled
Trying to decipher HTTPS traffic using Squid's SSL-BUMP


Hello all!

There is a web app i'm trying to sniff the connection to programatically.
While searching how can I decrypt the traffic, I came across squid ssl-bump feature.
What i'm trying to do eventually is something very similiar to fiddler, but using squid.

After generating the CERT and KEY using the guide here:

web address:
wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it

Everything worked superb and I even managed to see in the squid's log entried the POST & GET requests.

Example:
Code:
1326447584.967      5 84.94.181.22 TCP_MISS/000 0 GET https://re.clintonfoundation.org/view.image? - DIRECT/209.67.132.46 -
1326447589.037     28 84.94.181.22 TCP_MISS/000 0 GET https://re.clintonfoundation.org/view.image?- DIRECT/209.67.132.46 -
1326447599.816      5 84.94.181.22 TCP_MISS/000 0 GET https://re.clintonfoundation.org/view.image? - DIRECT/209.67.132.46 -
1326447605.479     15 84.94.181.22 TCP_MISS/000 0 GET https://re.clintonfoundation.org/view.image? - DIRECT/209.67.132.46 -
Yet, I haven't managed to decipher the same rows through Wireshark.

This is the line I used in: edit->prederences->protocols->ssl->rsa_key_list:
<some WAN IP>,8080,http,/home/doron/Desktop/cert3/testkey.pem

My key starts with:
"-----BEGIN RSA PRIVATE KEY-----"

So from my knowledge, it should be in the correct format wireshark can decipher.

I hope some of you could please shed some light on this matter.
 
Old 01-15-2012, 03:41 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
After reading the guide, I'm guessing that the certificate you created is not the same certificate used on the web app. I believe this will only work if you have the private key of the server.
 
Old 01-16-2012, 10:11 AM   #3
doron
LQ Newbie
 
Registered: Jan 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
After reading the guide, I'm guessing that the certificate you created is not the same certificate used on the web app. I believe this will only work if you have the private key of the server.
From what I understand, the traffic between the client (which is me) and the proxy server is used with the CERT i created.
Even the browser tells and warns me for that reason.
The other session, between the proxy and the WEBAPP is a whole another session that I dont have its key and therefore shouldnt be able to use.

Why then, I cant decipher the traffic between me and the PROXY?
 
Old 01-16-2012, 03:16 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
So you have squid configured to perform man-in-the-middle for SSL connections?
 
Old 01-16-2012, 03:21 PM   #5
doron
LQ Newbie
 
Registered: Jan 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
So you have squid configured to perform man-in-the-middle for SSL connections?
Yap, and Iv'e done this using this guide:
wiki.squid-cache.org/Features/SslBump
 
Old 01-16-2012, 03:26 PM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
So is the key /home/doron/Desktop/cert3/testkey.pem the one used on the squid box?
 
Old 01-16-2012, 03:28 PM   #7
doron
LQ Newbie
 
Registered: Jan 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
yap, exactly.
 
Old 01-16-2012, 03:48 PM   #8
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
maybe you need to change <wan ip> to <squid ip> .. ?
 
Old 01-16-2012, 04:12 PM   #9
doron
LQ Newbie
 
Registered: Jan 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
maybe you need to change <wan ip> to <squid ip> .. ?
this is the squid's IP.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Block https Traffic anu_here Linux - Security 8 10-30-2009 03:42 AM
how to block gmail & gtalk (https traffic)using squid satishmali1983 Linux - Server 4 06-25-2009 01:22 AM
squid - virus scanning SSL traffic JackDante Linux - Networking 2 12-09-2005 07:01 AM
Apache2, SSL, HTTPS... KneeLess Debian 3 09-02-2004 09:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration