I sent https request over another https, which is from the client to the web proxy, to the original web server. Here, the inner https is the payload of outer https. I have decoded the outer https, and the CONNECT request is decoded as plain text. but the inner https application data is encrypted by the web server. I tried "export PDU to files ...", then reopen the file, but no luck. So, is it possible to decrypt the inner https in the outer https by wireshark? I used wireshark 1.12, I have the private keys of the web proxy and the web server, so I can decrypt the https from client to proxy, and https from client to web server. or any other suggestion to decrypt the inner https? Thanks asked 09 Jan '16, 04:55 helloworld2012 edited 09 Jan '16, 04:59 |
One Answer:
traffic from client to web proxy is not encrypted it's plain HTTP using the CONNECT method, so I wonder how you have HTTPS over HTTPS. Can you please post a sample capture file? Your web proxy might 'intercept' SSL/TLS, meaning it terminates the TLS session of the client and it opens a second TLS session to the server to be able to scan the content. Is that the case? Regards answered 09 Jan '16, 05:11 Kurt Knochner ♦ Actually, client connects proxy with SSL, so, CONNECT request is also encrypted by the outer SSL. you may check my attachments, one is for SSL over http, then over SSL, the other is for CONNECT request and inner https nested in outer https, since these content are in one decoded SSL stream window. proxy only terminates the outer SSL, the inner https is encrypted by web server, so proxy cannot intercept. Actually, I want to decode the inner https, just to double confirm the inner https nested in outer https, and so on :-) but from all kinds of clues, seems it is true so far. I want to decode the application data in the second snapshot.
Thanks (09 Jan '16, 05:49) helloworld2012 O.K. that looks strange. May I have the pcap file for futher analysis? (09 Jan '16, 11:44) Kurt Knochner ♦ Sorry for the late reply. Sure. Any email address or something else to upload to you? (22 Jan '16, 02:19) helloworld2012 |
Can you try Wireshark 2.0? Perhaps the issue of SSL proxied over HTTPS is already fixed in there (never tried it though).
tried with 2.0.1. no luck. :-(