header

Torsten Curdt’s weblog

Debugging HTTPS

Whenever you have you debug a http conversation there are a couple of tools available to help you to see the requests and responses that make up the full conversation. While for web development there is an excellent Firefox plugin called “live http headers“, it gets slightly more tricky when you are dealing with webservices from your own application. Either you have to go through a proxy or you try to record the incoming and outgoing tcp packets. To restore the conversation you either had to use a combination of tcpdump and tcptrace or use tcpflow.

sudo tcpflow -i en0 -c

Newer versions of tcpdump even do the job without going through tcptrace (see further below). Of course this only works if the traffic is not encrypted – which it is over https. So in order to read the communication details you need a man-in-the-middle.

man-in-the-middle

If you require both sides to be encrypted then your are pretty much stuck with using a proxy. But if it’s just that the service requires encryption and is not available via plain http, you can use an even simpler setup. Have your local machine act as the man-in-the-middle. You can then use stunnel to accept an unencrypted connection locally and turn it into an encrypted one remotely.

client=yes
foreground=yes
verify=0

[psuedo-https]
accept  = 8888
connect = somesecurewebservice.com:443
TIMEOUTclose = 0

Once you fire up stunnel with the above configuration you just need to replace your original address https://somesecurewebservice.com with http://localhost:8888. Of course that means the traffic will be available unencrypted on the local interface and you can just fire up tcpdump to see what is going on.

sudo tcpdump -s 0 -A -i lo0 port 8888
blog comments powered by Disqus