Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating
From: "DePriest, Jason R." <[email protected]>
Date: Fri, 8 Feb 2008 22:39:22 -0600
On Feb 8, 2008 5:20 PM, Sake Blok <> wrote:
> On Fri, Feb 08, 2008 at 08:52:02PM +0000, DePriest, Jason R. wrote:
> > On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> >
> > For the SSL traffic, it gets a little weird.
> Yep, ssl-terminating-proxies are a funny breed :-)
> I always wondered if there aren't any legal issues involved with
> deploying one. I guess there must be a good privacy policy within a
> company before using one since basically it is a man-in-the-middlei-attack
> in a box :-)

The legal issues vary depending on what state you live in.  The Blue
Coat can be configured to display an "accept" message to the client
before intercepting traffic.

The company I work for is a stock broker so they are legally
*required* to keep a record of all data that goes out and comes in (to
detect / investigate insider trading and such).

> Also, it breaks sites using client-certificates...

Yeah, they get to visit their sites without content inspection, but it
still goes through the proxy.

> > It's the pseudo-cert from step 4 that I'm mystified over.
> Well, it all depends on how the Bluecoat builds the pseudo-cert. If
> it generates a new key for every new pseudo-cert, you're basically
> lost as they probably won't be kept on the box after the session is
> terminated.
> If the Bluecoat uses the same key for all pseudo certificates you
> still might be lost as the key might have a passphrase that is
> unknown to you. If you are able to get a cleartext key, then
> you should be able to decrypt some traffic with Wireshark.
> Just out of curiosity, doesn't the Bluecoat provide some way of
> creating capture files of the un-encrypted traffic before it's
> re-encrypted?

Yes, it does.  I have packet captures from the proxy server and from a
client system.  I need to see what the client is actually sending and
compare it with the proxy.  There is a site that doesn't resolve to an
IP and uses a weird port (7006) in the middle of the transaction and
I'd really like a better idea of what the client is sending.

I need to compare what the client sends to what the Blue Coat receives
and sends.

It may be moot now.  Since the target site is a site giving us fits is
run by the federal government, we might be able to avoid the need for
content inspection.  But that's a manager call, not a tech call.

> Cheers,
>     Sake