While integrating or troubleshooting Web applications using HTTPS, it is sometimes necessary to have a view of the decrypted HTTP traffic. On the browser side, using a browser extension like Tamper Data in Firefox or ieHTTPheaders in Internet Explorer is the easiest and most efficient way to see cookies, HTTP headers, user agents, location redirects etc. But if the application uses a rich client, or to analyse the back-end communication between Airlock and the back-end server, the way to go is using Wireshark to decrypt the HTTPS data stream.
Wireshark is able to decrypt SSL traffic, if the private key of an endpoint is given.
To analyze HTTPS traffic, you simply need to record a network connection established with the full SSL handshake. A full handshake is detectable by the certificate exchange. On such a trace file, the private key can be added even later on, to decrypt the traffic. The private key file has to be available in PEM format. This is the same format which is used in the Airlock Configuration Center.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
If the key is not in RSA pem format, e.g:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Use the following command to convert it:
# openssl rsa -in airlockpk_notRSA.pem -out airlockpk.pem
In Edit - Preferences -Protocols - SSL - RSA Key list: Edit
Add a new profile to decrypt the traffic. IP and port matches the endpoint of the TCP connection (server ip, server port). In case of HTTPS the protocol would be http (not https!). Configure the path to the private key and if protected with an password, that one too (see screenshot). e.g.:
IP address: 172.18.1.221
Key File: c:\cert\airlockpk.pem
In Edit - Preferences - Protocols - SSL the following fields must be configured (see screenshot):
RSA keys list: 172.18.1.221,443,http,c:\cert\airlockpk.pem
The IP/port association has to match the TCP connection which fullfills the SSL full handshake.
Subsequent connections using SSL session resumes for the recorded initial handshake will be decrypted as well.
Ciphers that provide Perfect Forward Secrecy (PFS) cannot be decrypted because the key exchange cannot be traced and reconstructed for an external communication partner. These are all ciphers using Diffie Hellmann.
If Wireshark was able to decrypt content, you will find the following message in the SSL log file:
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17
If Wireshark was NOT able to decrypt content, you will find following message in the SSL log file:
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x39
If you turn off Diffie-Hellman cipher suites in the server's configuration file, you can force the communication partners to negotiate another protocol, excluding Diffie-Hellman, so that Wireshark will be able to decrypt the data stream. In Apache you have to add !DH at the end of the SSLCipherSuite, for instance:
For more details on the default cipher suites used in Airlock, please refer to this article.
Use "Apache Expert Settings" to adjust the cipher suites. To do that, open the corresponding virtual host in the Configuration Center and go to the "Expert Settings" tab. Then, add the new SSLCipherSuite string to the "httpd.conf" field and activate the new configuration.
Follow the steps in this article.
To disable Diffie Hellmann in Microsoft IIS to the following:
Alternatively to step 2 and 3, just download this registry file from Techzone and double click it on the designated Windows system.
Further information about Microsoft's Schannel are available under the following website: