This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to decode the inner https nested in the outer https?

0

I sent https request over another https, which is from the client to the web proxy, to the original web server. Here, the inner https is the payload of outer https.

I have decoded the outer https, and the CONNECT request is decoded as plain text. but the inner https application data is encrypted by the web server.

I tried "export PDU to files ...", then reopen the file, but no luck.

So, is it possible to decrypt the inner https in the outer https by wireshark? I used wireshark 1.12, I have the private keys of the web proxy and the web server, so I can decrypt the https from client to proxy, and https from client to web server.

or any other suggestion to decrypt the inner https?

Thanks

asked 09 Jan '16, 04:55

helloworld2012's gravatar image

helloworld2012
6113
accept rate: 0%

edited 09 Jan '16, 04:59

Can you try Wireshark 2.0? Perhaps the issue of SSL proxied over HTTPS is already fixed in there (never tried it though).

(09 Jan '16, 12:45) Lekensteyn

tried with 2.0.1. no luck. :-(

(22 Jan '16, 02:12) helloworld2012

One Answer:

0

I sent https request over another https, which is from the client to the web proxy,

traffic from client to web proxy is not encrypted it's plain HTTP using the CONNECT method, so I wonder how you have HTTPS over HTTPS. Can you please post a sample capture file?

Your web proxy might 'intercept' SSL/TLS, meaning it terminates the TLS session of the client and it opens a second TLS session to the server to be able to scan the content. Is that the case?

Regards
Kurt

answered 09 Jan '16, 05:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Actually, client connects proxy with SSL, so, CONNECT request is also encrypted by the outer SSL. you may check my attachments, one is for SSL over http, then over SSL, the other is for CONNECT request and inner https nested in outer https, since these content are in one decoded SSL stream window.

proxy only terminates the outer SSL, the inner https is encrypted by web server, so proxy cannot intercept.

Actually, I want to decode the inner https, just to double confirm the inner https nested in outer https, and so on :-) but from all kinds of clues, seems it is true so far.

I want to decode the application data in the second snapshot.

alt text alt text

Thanks

(09 Jan '16, 05:49) helloworld2012

O.K. that looks strange. May I have the pcap file for futher analysis?

(09 Jan '16, 11:44) Kurt Knochner ♦

Sorry for the late reply. Sure. Any email address or something else to upload to you?

(22 Jan '16, 02:19) helloworld2012