Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating
From: Sake Blok <[email protected]>
Date: Sat, 9 Feb 2008 00:20:44 +0100
On Fri, Feb 08, 2008 at 08:52:02PM +0000, DePriest, Jason R. wrote:
> On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> 
> For the SSL traffic, it gets a little weird.

Yep, ssl-terminating-proxies are a funny breed :-)

I always wondered if there aren't any legal issues involved with
deploying one. I guess there must be a good privacy policy within a
company before using one since basically it is a man-in-the-middlei-attack
in a box :-)

Also, it breaks sites using client-certificates...


> It's the pseudo-cert from step 4 that I'm mystified over.

Well, it all depends on how the Bluecoat builds the pseudo-cert. If
it generates a new key for every new pseudo-cert, you're basically 
lost as they probably won't be kept on the box after the session is
terminated.

If the Bluecoat uses the same key for all pseudo certificates you 
still might be lost as the key might have a passphrase that is
unknown to you. If you are able to get a cleartext key, then
you should be able to decrypt some traffic with Wireshark.


Just out of curiosity, doesn't the Bluecoat provide some way of
creating capture files of the un-encrypted traffic before it's
re-encrypted?

Cheers,
    Sake