PDA

View Full Version : Clear-Text Dump for HTTPs-Inspected Traffic



Dave365
2017-04-10, 02:58
Hello,

I am doing some troubleshooting for some HTTPS connections to a web server I don't control and we perform HTTPs inspection for Application Control/URL filtering on our CheckPoint gateway. I need to see the HTTP requests to investigate the problem.

Is it possible to export the private key of the HTTPs Inspection certificate used on the gateway, in order to use it in Wireshark to decrypt the HTTPS stream?

Alternatively, is it possible to do a packet capture from the gateway, exporting the HTTP data in clear text?

Thanks,
Dave

ShadowPeak.com
2017-04-10, 07:56
Hello,

I am doing some troubleshooting for some HTTPS connections to a web server I don't control and we perform HTTPs inspection for Application Control/URL filtering on our CheckPoint gateway. I need to see the HTTP requests to investigate the problem.

Is it possible to export the private key of the HTTPs Inspection certificate used on the gateway, in order to use it in Wireshark to decrypt the HTTPS stream?

Alternatively, is it possible to do a packet capture from the gateway, exporting the HTTP data in clear text?

Thanks,
Dave

I spent a long afternoon trying to figure out how to do this directly on the firewall with fw ctl debug and/or fw monitor, and it does not appear to be possible. However see this thread for a hotfix that may help but you'll need to contact your SE, not Check Point TAC:

https://www.cpug.org/forums/showthread.php/21875-forwarding-decrypted-SSL-Traffic-to-Netwitness?p=95350#post95350

Any chance you control the client web browser system and can install a browser extension to show you the headers?

Dave365
2017-04-11, 01:40
Thanks.

This is what I am trying to do now, to record the traffic on client-side. However, the client is an application not a actual web browser and it seems the behavior changes when the connected is intercepted using various tools.