Ask Your Question
0

Is it possible to inspect incoming traffic to a web server with an ec certificate?

asked 2023-09-24 21:30:56 +0000

wireremora gravatar image

I want to inspect incoming API calls to an IIS web server hosting a REST API.

I am trying to troubleshoot a problem with incoming API calls which may be malformed, and there is no logging available from either side. I want to view incoming API calls from a specific remote client to see what is being sent.

My understanding is that there's no way to decrypt the traffic with just the private key.

Is there any way for me to accomplish this? I have full control of the server, and I can ask for information from the client, but I'm not sure what to ask for or how this would work.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-09-25 08:18:36 +0000

SYN-bit gravatar image

You are correct in your understanding that the private key will not help you decrypt the traffic when an EC certificate is used. This is because there will be a DiffieHellman key negotiation instead of an RSA key exchange.

The way to decrypt the traffic is to use the logging of sessionkeys. This is generally done by setting the SSLKEYLOGFILE variable on the client side, if the client software does support this. Chrome, Firefox, Edge, curl etc all support this, but if your customer is using some library that does not support the logging of session keys, then next thing would be to see if the server side supports it (and since you have control over the server side, this might be your first option instead of second). But IIS does not support the logging of keys yet AFAIK.

Another option would be to use a proxy that does the logging of the keys. One option for that would be mitmproxy, but then the client would need to add the RootCA of mitmproxy in its keystore and enable the proxying of the request.

Yet another option is to add a reverse proxy on the server (your) side. You could even do the TLS termination there and forward traffic as HTTP to your IIS. Or have the proxy log the sessionkeys.

So, there are options, but they all depend on the configuration options on the client and server side.

edit flag offensive delete link more

Comments

Thanks for your help. The reverse proxy option sounds like the most reasonable option at this point, I'm going to give that a try.

wireremora gravatar imagewireremora ( 2023-09-25 16:57:05 +0000 )edit

Perfect, if you have a loadbalancer in front of the IIS server (as a reverse proxy) they often can log TLS session keys too (if they terminate the incoming TLS session).

SYN-bit gravatar imageSYN-bit ( 2023-09-25 19:04:01 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-09-24 21:30:56 +0000

Seen: 778 times

Last updated: Sep 25 '23