header

Torsten Curdt’s weblog

« Big Day Out
Xavier Rudd »

Debugging HTTPS via Proxy

There are a few tools available to log HTTP conversations. Usually they act as a server that forwards the request and logs what is getting transfered. Nice! But naturally it’s not that easy for HTTPS - of course the conversation is encrypted. But you can still have a peek! I came across a tool called ‘Charles‘. It acts as a reverse proxy that sits in the middle and will automatically generate the right certificates. All you have to do is to trust the Charles certificate. You have to use the java ‘keytool’ to make the certificate available to the jvm.


$ keytool -import -trustcacerts -keystore keystore -file charles.cer
Enter keystore password:  password
Owner: C=NZ, ST=Unknown, L=Auckland, O=XK72 Ltd, OU=Charles, CN=Charles CA Certificate
Issuer: C=NZ, ST=Unknown, L=Auckland, O=XK72 Ltd, OU=Charles, CN=Charles CA Certificate
Serial number: 1
Valid from: Sat Aug 23 09:53:59 EST 2003 until: Fri Dec 09 10:54:00 EST 2011
Certificate fingerprints:
         MD5:  D4:6B:04:E7:F3:14:AF:EB:46:95:47:5E:9A:AE:38:54
         SHA1: DB:90:61:F8:E6:CC:13:07:1F:DF:47:6E:DF:D8:B9:6F:CC:73:E1:5C
Trust this certificate? [no]:  yes
Certificate was added to keystore

Then you only point the jvm to the proxy and to the keystore you’ve generated.


-Dhttps.proxyHost=localhost
-Dhttps.proxyPort=8888
-Djavax.net.ssl.trustStore=/your/path/to/the/keystore

Unfortunately ‘Charles’ is quite expensive. If someone knows of a free tools that does the same job …please let me know.

2. February 2006 | , , , , | DiggIt!

3 Responses to “Debugging HTTPS via Proxy”

  1. Bertrand Delacretaz said, on 2. February 2006 at 20:47

    Very interesting! And $50 for a single-user licence is not *that* bad…
  2. cal said, on 3. February 2006 at 0:24

    The free paros proxy may do what you want, i have only used it for http but for https the guide says:

    “Remember that, for all verisons of Paros, whenever you try to access SSL website via Paros, a certificate warning would be shown on the browser. This is because Paros acts as a maninthemiddle and need to use its own certificate to decrypt the messages. In order to continue, you must accept the certificate (or just import it to suppress this warning).”

    http://www.parosproxy.org/index.shtml , It’s more designed for web app security testing than debugging so it allows you to intercept and alter what gets sent, which may be handy for debugging.
  3. James Clancy said, on 29. January 2007 at 19:15

    I know this post is kind of old, but “Burp” proxy will do what you want. And, it’s FREE! I use it all of the time to see what my bank’s server is sending and asking for so that I can use “libcurl” to automate the download of my transaction data.

    Works great!

Leave a Reply

Please copy the string DCBu2V to the field below: