Hi,
Am 04.06.2016 um 02:14 schrieb Igor Cicimov:
you can dump the symmetric keys from the browser and import them
in wireshark to decrypt PFS protected TLS sessions [1]
Yes in case you want to troubleshoot something generic this is a good
approach but if you want to troubleshoot sessions not initiated by
your self, ie particular client connection, this is practically
impossible.
Temporarily disabling PFS ciphers is the only way then. Extracting the
symmetric key from certain sessions on the haproxy side would be an
interesting feature though.
Another proxy layer means that you decrypt TLS on the front-end
proxy, while you sniff the plaintext traffic between the front-end
and the second tier proxy. You can probably do this with a single
haproxy instance recirculating the traffic through a unix socket
and capture the traffic on it, but it would require some trial and
error and definitely some testing.
This will probably be faster but can't use tcpdump in that case.
Using the loopback interface instead of a unix socket will fix this.
Regards,
Lukas