Torsten Curdt’s weblog

Debugging HTTPS via Proxy

There are a few tools available to log HTTP conversations. Usually they act as a server that forwards the request and logs what is getting transfered. Nice! But naturally it’s not that easy for HTTPS – of course the conversation is encrypted. But you can still have a peek! I came across a tool called ‘Charles‘. It acts as a reverse proxy that sits in the middle and will automatically generate the right certificates. All you have to do is to trust the Charles certificate. You have to use the java ‘keytool’ to make the certificate available to the jvm.

$ keytool -import -trustcacerts -keystore keystore -file charles.cer
Enter keystore password:  password
Owner: C=NZ, ST=Unknown, L=Auckland, O=XK72 Ltd, OU=Charles, CN=Charles CA Certificate
Issuer: C=NZ, ST=Unknown, L=Auckland, O=XK72 Ltd, OU=Charles, CN=Charles CA Certificate
Serial number: 1
Valid from: Sat Aug 23 09:53:59 EST 2003 until: Fri Dec 09 10:54:00 EST 2011
Certificate fingerprints:
         MD5:  D4:6B:04:E7:F3:14:AF:EB:46:95:47:5E:9A:AE:38:54
         SHA1: DB:90:61:F8:E6:CC:13:07:1F:DF:47:6E:DF:D8:B9:6F:CC:73:E1:5C
Trust this certificate? [no]:  yes
Certificate was added to keystore

Then you only point the jvm to the proxy and to the keystore you’ve generated.


Unfortunately ‘Charles’ is quite expensive. If someone knows of a free tools that does the same job …please let me know.

  • There is always Fiddler from Microsoft (Windows only of course) or stunnel (part of OpenSSL) which is complex to use but can fake any SSL connection together with two sided NetCat. I used this to partially reverse engineer the Instapaper protocol, although I never published my findings.
  • https://vafer.org/blog/20080221... usually also does the job. For the simple thing it does I still think the 50 USD for Charles are too much. But well...
  • Charles is absolutely worth the $50 asking price. It's become the *indispensable* tool in my kit for developing Flex/AIR applications talking to a variety of backend services.
  • James Clancy
    I know this post is kind of old, but "Burp" proxy will do what you want. And, it's FREE! I use it all of the time to see what my bank's server is sending and asking for so that I can use "libcurl" to automate the download of my transaction data.

    Works great!
  • cal
    The free paros proxy may do what you want, i have only used it for http but for https the guide says:

    "Remember that, for all verisons of Paros, whenever you try to access SSL website via Paros, a certificate warning would be shown on the browser. This is because Paros acts as a maninthemiddle and need to use its own certificate to decrypt the messages. In order to continue, you must accept the certificate (or just import it to suppress this warning)."

    http://www.parosproxy.org/inde... , It's more designed for web app security testing than debugging so it allows you to intercept and alter what gets sent, which may be handy for debugging.
  • Very interesting! And $50 for a single-user licence is not *that* bad...
blog comments powered by Disqus