WireShark and HTTPS

So you’ve locked down your BizTalk web services with SSL and would like to do some tracing.  You’ll need two tools.  WireShark and OpenSSL.  OpenSSL will convert your binary PKCS12 private key to a text PEM certificate, which is required by WireShark.

Assuming your web site is already locked down with a certificate, the bindings are setup etc.  First export your certificate in PKCS12 form.

Export the certificates by running mmc.exe and adding the certificates snap-in.

image

Export the certificate.  It’s the certificate that you website is bound to.

image

Be sure to export the private key.  This is what WireShark needs to decrypt the SSL packets.

image

image

Enter a password

image

image

Now we’ve exported the PKCS12 certificate we need to convert to get the private key and convert it to PEM.  Easy with OpenSSL.  From the command line do the following.  The first one will prompt you for the password you added to the exported PKCS12 certificate pfx file.

c:\OpenSSL-Win32\bin> openssl pkcs12 -nodes -in Cert.pfx -out PrivateKey.pem -nocerts –nodes

c:\OpenSSL-Win32\bin> openssl rsa -in PrivateKey.pem -out out.pem

We can now use out.pem from WireShark to decrypt SSL.

Open WireShark and go to the Edit menu and select the Preferences menu item

image

Expand Protocols and select SSL

image

Select the Edit Button and click the New button then enter your details.  The IP address should be the IP of your web server, the port the port your HTTPS is set up on, default being 443.  The protocol should be lowercase http and the Key File from the above is out.pem.

image

Now you’re ready to start capturing SSL.  Put a filter on your capture for http as below.  You can then right mouse Follow TCP or Follow SSL stream on the decrypted HTTPS traffic and view the HTTP messages in clear text.

image

Advertisements
This entry was posted in BizTalk Server, Technology, Tools. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s