Debugging HTTPS
Whenever you have you debug a http conversation there are a
couple of tools available to help you to see the requests and
responses that make up the full conversation. While for web
development there is an excellent Firefox plugin called
“live http headers“, it gets slightly more tricky when you are dealing with
webservices from your own application. Either you have to
go through a proxy or you try
to record the incoming and outgoing tcp packets. To restore the
conversation you either had to use a
combination of tcpdump and tcptrace or use tcpflow.
sudo tcpflow -i en0 -c
Newer versions of tcpdump even do the job without going through tcptrace (see further below). Of course this only works if the traffic is not encrypted – which it is over https. So in order to read the communication details you need a man-in-the-middle.
If you require both sides to be encrypted then your are pretty much stuck with using a proxy. But if it’s just that the service requires encryption and is not available via plain http, you can use an even simpler setup. Have your local machine act as the man-in-the-middle. You can then use stunnel to accept an unencrypted connection locally and turn it into an encrypted one remotely.
client=yes foreground=yes verify=0 [psuedo-https] accept = 8888 connect = somesecurewebservice.com:443 TIMEOUTclose = 0
Once you fire up stunnel with the above configuration you just need to replace your original address https://somesecurewebservice.com with http://localhost:8888. Of course that means the traffic will be available unencrypted on the local interface and you can just fire up tcpdump to see what is going on.
sudo tcpdump -s 0 -A -i lo0 port 8888