When trying to automate recurring or annoying operations on a network client, you must be lucky to have a special SDK, well-known documentation on API and plain-text protocols. Otherwise, it often happens that you have to start capturing tcpdump outputs to study application layer dataflows. But things may turn even worse if you must look inside the encrypted connection.
Here are some useful hints, which I have collected during the recent session on a Java based application.
First of all, run the application with network debugging:
# java -Djavax.net.debug=all MySSLJavaApplication
Yes, it allows to see just everything you need in hex and plain-text.
Sometimes it is useful to disassemble one or more java class to see it’s code:
# javap -c -constants MySSLJavaApplication
See this perfect example with detailed descriptions.
Browsers are able to store all the keys, so we can literally intercept TLS encrypted session. Do you feel more secure now? 😉 Set SSLKEYLOGFILE environment variable, then run Firefox or Chrome:
# SSLKEYLOGFILE=~/sslkeys.log firefox
Here is SSLKEYLOGFILE format description along with instructions for Wireshark on how to use it to decrypt TLS connections.
Use ssldump if you are lucky to have a Private key in advance:
# ssldump -k /path/to/private.key -i 'interface' -dnq 'expression'