First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is it possible to inspect incoming traffic to a web server with an ec certificate?

  • retag add tags

I want to inspect incoming API calls to an IIS web server hosting a REST API.

I am trying to troubleshoot a problem with incoming API calls which may be malformed, and there is no logging available from either side. I want to view incoming API calls from a specific remote client to see what is being sent.

My understanding is that there's no way to decrypt the traffic with just the private key.

Is there any way for me to accomplish this? I have full control of the server, and I can ask for information from the client, but I'm not sure what to ask for or how this would work.

wireremora's avatar
3
wireremora
asked 2023-09-24 21:30:56 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

You are correct in your understanding that the private key will not help you decrypt the traffic when an EC certificate is used. This is because there will be a DiffieHellman key negotiation instead of an RSA key exchange.

The way to decrypt the traffic is to use the logging of sessionkeys. This is generally done by setting the SSLKEYLOGFILE variable on the client side, if the client software does support this. Chrome, Firefox, Edge, curl etc all support this, but if your customer is using some library that does not support the logging of session keys, then next thing would be to see if the server side supports it (and since you have control over the server side, this might be your first option instead of second). But IIS does not support the logging of keys yet AFAIK.

Another option would be to use a proxy that does the logging of the keys. One option for that would be mitmproxy, but then the client would need to add the RootCA of mitmproxy in its keystore and enable the proxying of the request.

Yet another option is to add a reverse proxy on the server (your) side. You could even do the TLS termination there and forward traffic as HTTP to your IIS. Or have the proxy log the sessionkeys.

So, there are options, but they all depend on the configuration options on the client and server side.

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-09-25 08:18:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for your help. The reverse proxy option sounds like the most reasonable option at this point, I'm going to give that a try.

wireremora's avatar wireremora (2023-09-25 16:57:05 +0000) edit
more
  • delete

Perfect, if you have a loadbalancer in front of the IIS server (as a reverse proxy) they often can log TLS session keys too (if they terminate the incoming TLS session).

SYN-bit's avatar SYN-bit (2023-09-25 19:04:01 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer