When using firefox I know that I can set the SSLKEYLOGFILE envvar,
and then provide the path to wireshark to decrypt the ssl traffic.
(https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format)
Is there a way to decrypt ssl traffic when requests are generated by apache httpclient?
Try running HttpClient with wire logging turned on as described here. This should be enough to see the exact composition of HTTP packets transferred over the wire.
Related
How SSL works is well know as it's quite widely used and described well every where. In short - SSL involves
Verifying server authenticity by client by verifying the servers X.509 certificate.
Then arriving at a symmetric key using diffie-hellman key exchange algorithm.
But I am not sure what happens withsecurity.protocol=SASL_SSL. Clients and Server communication of few technologies like Kafka etc rely on this security protocol as one of the option. Here I am worried about the point 1 above. If i get a wrong broker address (as a trick ) from some one, does SASL_SSL verify the server certificate or not is my question. If it does, then I can be sure that the received broker is not genuine and my application will not publish or subscribe to messages from this server and my data is safe.
Edit 1: Following #steffen-ullrich answer and comments And little more dig, i see below. Looks like the certificate validation is happening when used through chrome and probably its loaded in the cacerts too. So the java code is able to authenticate the server.. so seems ok..
Edit 2: Right the certificates DST and ISRG are preloaded in the JDK 11 cacerts, so the client is able to authenticate the server as commented by Stephen.
SASL is a standard for authentication of the client - see Simple Authentication and Security Layer. SASL_SSL simply means that the client authentication (SASL) is used over a protected connection (SSL) to prevent interception instead of over a plain connection.
What you are asking is related to another configuration please read the following description.
ssl.endpoint.identification.algorithm
The endpoint identification algorithm used by clients to validate server host name. The default value is https. Clients including client connections created by the broker for inter-broker communication verify that the broker host name matches the host name in the broker’s certificate. Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string.
Type: string
Default: https
Importance: medium
Since I am new to this SSL I am asking this question. I googled and got this below mentioned HTTPS server python script. May I please know if its one way SSL or Two way SSL? And also how do I take dump to see the communication between client and server?
My requirement is to have one way SSL.
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='path/to/localhost.pem', server_side=True)
httpd.serve_forever()
May I please know if its one way SSL or Two way SSL
This is one-way, i.e. the server is sending its certificate but not requesting a certificate from the client. The server could request a client certificate by adding cert_reqs=ssl.CERT_REQUIRED to the call of ssl_wrap.
And also how do I take dump to see the communication between client and server?
Use the packet capture tool of your choice and which is supported on your unknown platform. wireshark is a good choice and you will find plenty of documentation about how to use it.
In HTTPS (SSL) browser send the encrypted data which can be Decrypted by server only.
To confirm it, i did set up the burp proxy on my Firefox browser so that it intercepts the request sent to HTTPS server by browser .
When i receive it at burp, i see the data as entered by user though i was expecting browser must have encrypted that but did not.
So at what point of time browser encrypt data over HTTPS ?
Most pieces of software that do this (e.g. Anti-virus scanners) replace the https certificate with their own so the https traffic can be man-in-the-middled by the software.
While I'm not familiar with Burp, it looks like it does the same: https://portswigger.net/burp/help/proxy_using.html
So instead of
browser --(via https)--> server
Which only the server could read as only the server has the private key to decrypt the http so, it becomes:
browser --(via https)--> burp -- (via https)--> server
If you look at the https cert in your browser you'll probably notice it's been issued by Burp rather than being the real cert that the site shows when not using Burp.
This is the only real way of doing this, without majorly changing the browser to intercept it before the encryption happens, but can create its own problems: Should software really intercept traffic between you and your bank? What if that first connection can be compromised (see the Lenovo superfish incident for example). Many people (myself included) dislike MITM https services for this reason.
Sorry in advance for my not-perfect english.
I'm trying to capture the http/https traffic in real-time from a Java program.
Thanks to Jnetpcap library, I managed to do it quite easily but, for the https traffic, I don't manage to get just the headers of the packets, even if I ask to capture all the tcp packets without port filter. I don't understand how sofwares like Fiddler manage to do it, e.g. to have the domain name like facebook.com or google.com.
Is there a way to do it in Java ?
Thanks!
For HTTPS, Fiddler uses its own SSL certificate. So from both the client and server view the connection is secure. Fiddler is a Man-In-the-Middle (Proxy), able to decrypt incoming data from the client and then encrypting it for the server.
I have a requirement to use client/server architecture and with Open SSL authentication.
Here, how server to know the connect client using their OPen SSL certificate?
Anyone knows the link, sample then please reply me.We have to develop it in Java.
OpenSSL is not Java, so your solution cannot be both - but I think I know what is intended.
Normally OpenSSL is used as part of Apache http as part of mod_ssl. This in turn uses a "connector" to send the requests to an application server, e.g. Apache Tomcat. You can configure this connector to also send the SSL certificates to tomcat if that is required, but normally the authentication/verification is handled within the deamon.
All this is pretty easy to Google, although you should factor in some time to fully understand the connectors. You've the keywords, now use them :)