cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SSL Client Side Decryption with MWG Private Key?

Is it possible to decrypt client side SSL traffic if you have SSL scanning turned on in MWG. I know that the MWG creates dynamic certs for each SSL site you visit based on the client context CA, but I don't know if the private key is the same for all of them. What we want to be able to do is take a capture of client side traffic between the client and MWG and use the private key of the MWG's client context CA to decrypt the traffic. I know we can't decrypt the server side since that uses the cert/key from the destination host and not from the MWG. Anyone ever try this?

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: SSL Client Side Decryption with MWG Private Key?

For troubleshooting purpose you can create connection tracing files. When SSL Scanner is triggered the traffic is decrypted and re-encrypted by the web gateway. This clear text as example HTML code is then written to multiple file. Unique File name identify the connection and "C" or "S" identify if it is C = Client or S = Server. To enable please follow the steps below:

Connection Tracing:

+++++++++++++++++

GUI -> Configuration -> Troubleshooting -> Enable Connection Tracing (Test Client IP)

Results:

GUI -> Troubleshooting -> Connection Tracing

NOTE: Please don't forget to disable it afterwards. Connection Tracings can get very big with the time and fill up your disc space.

-Sergej

Highlighted

Re: SSL Client Side Decryption with MWG Private Key?

Thanks for the info smasnizk. I've used the connection tracing a couple of times in the past but I'm more interested in being able to decrypt client side traffic that may have been captured a while back. Since we record all network traffic we're able to "go back in time" and pull up old conversations in Wireshark. But I can't figure out how to decrypt the client side traffic for the MWG even though I have the private key for the CA that the MWG uses for the Client Context. I'm afraid I don't know enough about SSL to know if it's even possible to do what we are wanting to do.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: SSL Client Side Decryption with MWG Private Key?

The issue would be to get the certificate for client traffic. The Web Gateway create on the fly certificates for different destinations. This looks like this google example:

cert1.JPG

-> This google certificate isn't actually created by google. This one is from WebGateway and you trust them because you have the Root CA in your certificate trusted store.

cert2.JPG

When you would like to encrypt some traffic where you don't know the content or destination. The destination will always be the Web Gateway. Even if you could identify in the tcpdump CONNECT request your real destination you will still have the trouble not having the temporally created certificate.

To be honest your chance to get this working is very low.

- Sergej

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community