Decrypt HTTPS traffic in tcpdump
When HTTPS traffic inspection is enabled, is there any way to produce a tcpdump file that includes the decrypted traffic? Or alternatively, is there a way to configure Wireshark to decrypt an encrypted dump file? I know Wireshark has the capability but it requires the private key from the server. From what I've found, the private key can't be exported from a Watchguard device. Or can it somehow?
Sign In to comment.
deleted my incorrect answer ....
The firewall won't export a private key. You can, however, import your own proxy server/proxy authority certs (depending on the direction traffic is traveling. External -> Internal is proxy server, Internal -> External is proxy authority.) You'll need your own CA to do this for proxy authority, as 3rd party CAs will not give you the proper resigning type cert for this.
Once you have the private key for your traffic, either via the proxy or from the webservers themselves, you can decrypt in wireshark. PaloAlto made a quick KB showing how to do this:
WatchGuard Customer Support