Technical Solution Guide

How to capture SSL traffic

FortiWeb Technical Solution Guide

(Updated June 13, 2017)

Overview

With over 50% of all internet traffic encrypted with SSL it’s now more common to debug HTTPS traffic
than ever before. Debugging encrypted communication is challenging for obvious reasons – if the traffic
is encrypted support and engineering can’t identify what the issue is.

Starting v5.7 FortiWeb provides an easy solution to solve this problem. Administrators can export the
SSL session key of the connection and upload it to Wireshark together with the pcap file. Wireshark will
then present the raw HTTP data.

Follow the below instructions:

1. Open a console connected to FortiWeb and enable debugging mode

# diagnose debug flow filter flow-detail 4
# diagnose debug flow filter <V-server IP>
# diagnose debug flow trace start
# diagnose debug enable

A lot of debugging information including the SSL session keys is going to be sent to the console.
Copy and paste that into a file, you will later need it.

2. Start capturing the relevant HTTPS traffic. This can be achieved in two ways:
a) GUI
- Log into FortiWeb using the admin user
- Go to Network -> Packet Capture
- Click “Create New” and set the related options. See example below

PS: make sure the “Maximum Packet Count” is large enough

- Start capturing traffic

CONFIDENTIAL – NOT FOR EXTERNAL DISTRIBUTION; FORTINET INTERNAL USE ONLY

www.fortinet.com
page 1
 FortiWeb Technical Solution Guide - Capturing SSL Traffic

- Download the pcap file once the test is over

b) Using shell
- Open a console and login with the admin account
- Access the shell using the below command
# fn sh
- Use tcpdump to capture the traffic. Add the relevant flags/options that will allow you to narrow and
focus on the relevant connections. Here’s an example:
# /data/bin/tcpdump -i port1 -nne -s0 TCP PORT 443 -w ssl.pcap

Use “Ctrl+C” to stop

- Download the pcap file (i.e. ssl.pcap) once the test is complete

3. Start to reproduce the issue. When reproduced stop the tcpdump command from steps 1 or 2.

4. Transfer the file with the debugging information from step 1 into any Linux system. Use the following
command to export the SSL keys
$awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $15 " " $18}' dumpfile >
keys.log

It can also be executed on FortiWeb using the following command

$ busybox awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $15 " " $18}'
dumpfile > keys.log

NOTE: after exporting the data the keys.log file should NOT be empty. The content should look like
this

5. Validate the pcap file with the SSL keys

a) Open the pcap file with Wireshark (v1.6 and above), the packets should be encrypted

(Encrypted data)

b) Go to Edit -> Preferences

CONFIDENTIAL – NOT FOR EXTERNAL DISTRIBUTION; FORTINET INTERNAL USE ONLY

www.fortinet.com
page 2
 FortiWeb Technical Solution Guide - Capturing SSL Traffic

c) Expand the Protocols section

d) Select SSL and set the location of your SSL key file (keys.log)

e) Click OK, the packets should become readable

CONFIDENTIAL – NOT FOR EXTERNAL DISTRIBUTION; FORTINET INTERNAL USE ONLY

www.fortinet.com
page 3
 FortiWeb Technical Solution Guide - Capturing SSL Traffic

(Decrypted data)

f) Check if the suspected HTTP transactions (both request & response) relevant to your issue are
now decrypted. If not, you will need to repeat this

6. In some cases it is necessary to capture the traffic between the client & Pserver not going through
FortiWeb so we can compare the two
a) On Windows, set the environment variable SSLKEYLOGFILE

b) Capture the SSL traffic using Wireshark

c) Use Firefox or Chrome to reproduce the issue (they will export the SSL session keys into
SSLKEYLOGFILE)

d) After your test is complete, import the SSL keys (from SSLKEYLOGFILE) into Wireshark to
check if the packets are all correct similar to step 5

Finally, provide the following files to Fortinet support

CONFIDENTIAL – NOT FOR EXTERNAL DISTRIBUTION; FORTINET INTERNAL USE ONLY

www.fortinet.com
page 4
 FortiWeb Technical Solution Guide - Capturing SSL Traffic

• keys.log & the pcap file generated on FortiWeb

• sslkeylogfile.log & the pcap file generated by the test PC

CONFIDENTIAL – NOT FOR EXTERNAL DISTRIBUTION; FORTINET INTERNAL USE ONLY

www.fortinet.com
page 5