Professional Documents
Culture Documents
Capturing and Debugging SSL Traffic - FortiWeb
Capturing and Debugging SSL Traffic - FortiWeb
Overview
With over 50% of all internet traffic encrypted with SSL it’s now more common to debug HTTPS traffic
than ever before. Debugging encrypted communication is challenging for obvious reasons – if the traffic
is encrypted support and engineering can’t identify what the issue is.
Starting v5.7 FortiWeb provides an easy solution to solve this problem. Administrators can export the
SSL session key of the connection and upload it to Wireshark together with the pcap file. Wireshark will
then present the raw HTTP data.
A lot of debugging information including the SSL session keys is going to be sent to the console.
Copy and paste that into a file, you will later need it.
2. Start capturing the relevant HTTPS traffic. This can be achieved in two ways:
a) GUI
- Log into FortiWeb using the admin user
- Go to Network -> Packet Capture
- Click “Create New” and set the related options. See example below
b) Using shell
- Open a console and login with the admin account
- Access the shell using the below command
# fn sh
- Use tcpdump to capture the traffic. Add the relevant flags/options that will allow you to narrow and
focus on the relevant connections. Here’s an example:
# /data/bin/tcpdump -i port1 -nne -s0 TCP PORT 443 -w ssl.pcap
3. Start to reproduce the issue. When reproduced stop the tcpdump command from steps 1 or 2.
4. Transfer the file with the debugging information from step 1 into any Linux system. Use the following
command to export the SSL keys
$awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $15 " " $18}' dumpfile >
keys.log
NOTE: after exporting the data the keys.log file should NOT be empty. The content should look like
this
(Encrypted data)
d) Select SSL and set the location of your SSL key file (keys.log)
(Decrypted data)
f) Check if the suspected HTTP transactions (both request & response) relevant to your issue are
now decrypted. If not, you will need to repeat this
6. In some cases it is necessary to capture the traffic between the client & Pserver not going through
FortiWeb so we can compare the two
a) On Windows, set the environment variable SSLKEYLOGFILE
c) Use Firefox or Chrome to reproduce the issue (they will export the SSL session keys into
SSLKEYLOGFILE)
d) After your test is complete, import the SSL keys (from SSLKEYLOGFILE) into Wireshark to
check if the packets are all correct similar to step 5