We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating

From: "DePriest, Jason R." <[email protected]>
Date: Fri, 8 Feb 2008 20:52:02 +0000
On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> On Thu, Feb 07, 2008 at 11:40:12PM -0600, DePriest, Jason R. wrote:
> >
> > Has anyone had experience with Blue Coat's in general for this sort of
> > thing?  I can see the keyring that Blue Coat is configured to use and
> > the encrypted form of *a* key.  Even after putting it in a file and
> > converting it using openssl command-line tools into a form that
> > Wireshark should read, I get errors.
> Is this proxy a transparent proxy (client opens connection to
> the ip address of the website, but is redirected somehow to the
> proxy) or a full proxy (client opens connection to the proxy
> ip address).
> In case it is a full proxy, have you tried using the following
> in the ssl protocol settings?
> <ip-of-proxy>,<proxy-port>,http,<keyfile>
> Cheers,
>     Sake

For the SSL traffic, it gets a little weird.

1) Client initiates connection to remote server which passes through the proxy.
2) Proxy intercepts connection.
3) Proxy requests SSL cert from server and validates it.
4) Proxy creates a new cert using itself as CA and the company
information and such from the server SSL cert it inspected.
5) Proxy presents created cert to client as if it were from the original server.
6) Client accepts the cert because the proxy was previously configured
as a trusted CA.
7) Client uses cert to encrypt traffic and sends it off to the remote
server via the proxy.
8) Proxy intercepts connection.
9) Proxy decrypts traffic and analyzes it.
10) Proxy re-encrypts traffic using original server SSL cert.
11) Proxy sends connection to remote server as if it were the client.

It's the pseudo-cert from step 4 that I'm mystified over.

The documentation from Blue Coat isn't that great, nor is their knowledge base.