Status Services → Expedited WAF → Expedited SSL → IP Investigator → Real Email Resources → Knowledge Base → AWS In Plain English → Blog → Heroku Security Resources Use Cases → DDoS Protection → Bot & Malicious Traffic Blocking → Fraud Detection & Prevention → Credential Stuffing Protection → Compliance → OWASP Top 10 Compliance → AI Scraping Prevention → Geographic Request Blocking → Virtual Patching About Contact

Wireshark is the simplest way to inspect HTTPS on your Mac

Avoid setting up proxies using only Chrome and Wireshark

January 24, 2020
Wireshark is the simplest way to inspect HTTPS on your Mac

Charles Proxy is one of the most well known SSL debugging tools. Charles has got us out of a bunch of jams before, and we've always kept this around for when we need it:

# For Charles Proxy. ALL_PROXY is Curl specific
#export HTTP_PROXY=http://localhost:2222/; export ALL_PROXY=http://localhost:2222/

However:

  • Charles requires Java to be installed and enabled.
  • It has a clunky UI.

  • Reinstalling Charles' root certificate after OS X updates is boring. You need to run:

     # See if Charles' root certificate is installed
 keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep charles
 # Reinstall Charles' root certificate
 sudo keytool -import -alias charles -file /Applications/Charles.app//Contents/doc/charles-proxy-ssl-proxying-certificate.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass somePasswordButMyNotMyActualPassword

These drawbacks don't stop Charles from being a useful piece of software, and we'll keep Charles around. However if you just want to see the unencrypted contents of your SSL traffic from a web browsing session, and if that browser is Chrome or Firefox, there's a simpler solution.

You can enable one environment variable to capture SSL traffic with Wireshark and Chrome/Firefox

Wireshark was just released. It has an OS X native UI. Best of all you can use it in conjunction with Chrome or Firefox to inspect SSL traffic incredibly easily.

Got a copy? Let's go:

Start capturing packets

sudo tcpdump -i en0 -s 0 tcp port https -w ~/Desktop/capture.pcap

Replace en0 with your network interface as reported by ifconfig (OS X) or ip addr (Linux).

Make your browser save session keys

Stop any existing instances of Chrome or Firefox (whichever you're intending to use).

Then open a Terminal and run the following:

touch ~/Desktop/session-key.log
export SSLKEYLOGFILE="~/Desktop/session-key.log"

Start either Chrome or Firefox:

open /Applications/Google\ Chrome.app

Browse to an https:// URL. It will start creating the session-key.log file.

If you like, you can watch it in a terminal:

tail -f ~/Desktop/session-key.log

The session key format includes:

  • A Client_Random entry for Diffie-Hellman negotiated sessions
  • An RSA entry is for sessions using RSA or DSA key exchange.

View the capture using the session key to show the encrypted contents

Open the .pcap file and visit Wireshark > Preferences. Under Protocols, scroll down to SSL and load the file. You can skip to just the https parts with the following filter:

ssl

And a specific host with:

ip.addr == 10.10.10.1

To look at a particular TCP session, right click on any of the entries and choose to “Follow SSL Stream”.

Conclusion

We hope you'll find the session keys method shown here is as useful as we do. You will probably want to keep Charles around for apps like wget and curl. That said, if the reason you're using wget or curl is to test a REST API, consider Postman: it's a Chrome app, so uses Chrome session keys. It's more REST-focused so you'll spend more time testing and less reading a manual page.

View All Blog Posts