1 | initial version |
You are correct in your understanding that the private key will not help you decrypt the traffic when an EC certificate is used. This is because there will be a DiffieHellman key negotiation instead of an RSA key exchange.
The way to decrypt the traffic is to use the logging of sessionkeys. This is generally done by setting the SSLKEYLOGFILE variable on the client side, if the client software does support this. Chrome, Firefox, Edge, curl etc all support this, but if your customer is using some library that does not support the logging of session keys, then next thing would be to see if the server side supports it (and since you have control over the server side, this might be your first option instead of second). But IIS does not support the logging of keys yet AFAIK.
Another option would be to use a proxy that does the logging of the keys. One option for that would be mitmproxy, but then the client would need to add the RootCA of mitmproxy in its keystore and enable the proxying of the request.
Yet another option is to add a reverse proxy on the server (your) side. You could even do the TLS termination there and forward traffic as HTTP to your IIS. Or have the proxy log the sessionkeys.
So, there are options, but they all depend on the configuration options on the client and server side.