locked
Decrypt TLS traffic captured using QuickTrace Local interfaces RRS feed

  • Question

  • Hi All,

    My first shot at this (decryption). I wasn't able to use the 'Unencrypted HTTPS' option as I couldn't get traffic to flow through the proxy, but believe I got what I need in my capture using 'Local network interfaces' (?). I can see that the trace includes the handshake as mentioned here (http://blogs.technet.com/b/messageanalyzer/archive/2014/10/21/post-decryption-of-tls-ssl-traffic.aspx). I have a *.pfx added to the certificates option -> decryption. I chose to reopen my trace in order for the decryption to kick in, but it ... doesn't! 

    This can probably be due to a million reasons, but perhaps someone could give a few hints as to what to investigate? I opened the decryption window but it is all empty. The certificate is an obvious culprit, what can be said about this? The one I have is exported from the target server.

    Any ideas?

    F

    Monday, December 1, 2014 7:41 PM

Answers

  • Obvious answer to my question being - no (current) support. 

    Will re-think my approach and attack it some other way.

    Cheers,

    Fredrik

    • Marked as answer by fkenmo Tuesday, December 2, 2014 1:55 PM
    Tuesday, December 2, 2014 1:55 PM

All replies

  • Hi,

    Just a quick update. I have verified the certificate to ensure that the private key is included. All seems to be in order. Re-read the above article on the supported protocol/encryption combinations and got the details below from the Server Hello message:

    Name Value Type Bit Offset Bit Length
    server_version TLS 1.0 TLS.ProtocolVersion 72 16

    Name Value Type Bit Offset Bit Length
    cipher_suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(49172) IANA.CipherSuite 608 16

    The traffic I'm hoping to decrypt is http(s). So, I'm not doing something that isn't supposed to work, right?!

    Fredrik

     
    Tuesday, December 2, 2014 6:58 AM
  • Hi again, 

    I keep adding to the post in case someone feel the urge to jump in :) It seems I might have been onto something with the previous update regarding cipher-suites.

    I tried something different. I opened the trace from the New Session dialog after I had added the certificate to the Options -> Decryption dialog. 

    This produced an entry in the Decryption Windows saying that the cipher-suite was not supported (below):

    Type TimeStamp ProtocolVersion SourcePort DestinationPort SourceAddress DestinationAddress Decrypted Message Count Undecrypted Message Count Message
    Info 2014-12-01 12:54:43 N/A 63498 443 UAG-server Webserver 0 1 The cipher suite is unsupported

    Did I misinterpret the table saying that TLS1.0 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(49172) is supported for http(s)?

    Cheers,

    Fredrik

    Tuesday, December 2, 2014 10:36 AM
  • Obvious answer to my question being - no (current) support. 

    Will re-think my approach and attack it some other way.

    Cheers,

    Fredrik

    • Marked as answer by fkenmo Tuesday, December 2, 2014 1:55 PM
    Tuesday, December 2, 2014 1:55 PM
  • One option it so control the Cipher Suites that the server presents, assuming this is a test environment.

    Did the failure to work with the HTTP proxy driver cause an issue in with your application?  Do you think that configuring the proxy provider to add a cert might help?  Does it work at all with fiddler (which is the API we use)?

    Thanks,

    Paul

    Tuesday, December 2, 2014 3:21 PM
  • Hi Paul,

    I made a quick test with IISCrypto to try and control the ciphers used. I'm a little reluctant as it is more production than test :) but definitely worth considering. I used to the tool on the client side hoping that it would force the server to downgrade to the common denominator if you will.

    Regarding the proxy provider. The client in this scenario is an old UAG Server (2010 SP3) and I'm capturing traffic to a back end server published through UAG. I wasn't able to force the traffic originating from the UAG to use the proxy using IE setting or the netsh equivalent. Perhaps I didn't get it right?

    The cipher suite (0xC014) is it more difficult to decrypt as it using diffie hellman or is it only because there is currently no decoder?

    Cheers,

    Fredrik

    Tuesday, December 2, 2014 8:08 PM