Decrypt HTTPS traffic in tcpdump

When HTTPS traffic inspection is enabled, is there any way to produce a tcpdump file that includes the decrypted traffic? Or alternatively, is there a way to configure Wireshark to decrypt an encrypted dump file? I know Wireshark has the capability but it requires the private key from the server. From what I've found, the private key can't be exported from a Watchguard device. Or can it somehow?

Comments

  • edited November 2020

    deleted my incorrect answer ....

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @cmc

    The firewall won't export a private key. You can, however, import your own proxy server/proxy authority certs (depending on the direction traffic is traveling. External -> Internal is proxy server, Internal -> External is proxy authority.) You'll need your own CA to do this for proxy authority, as 3rd party CAs will not give you the proper resigning type cert for this.

    Once you have the private key for your traffic, either via the proxy or from the webservers themselves, you can decrypt in wireshark. PaloAlto made a quick KB showing how to do this:
    https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

    -James Carson
    WatchGuard Customer Support

Sign In to comment.