Decrypting HTTPS traffic with BlueCoat reverse proxy

Just submitted as KB article to bluecoat🙂

Common example scenario:


An SSL reverse proxy is deployed, and at some stage in the troubleshooting process a packet capture of the HTTPS traffic is required to view traffic flowing between the client / proxy or between the OCS and proxy.
In a reverse proxy scenario, the appropriate certificate and keys must be imported into the proxy in order to allow it to properly terminate SSL connections. Since the key is known to the Proxy, it is possible to extract this key and use it in Wireshark to decrypt the SSL traffic for easier troubleshooting.
Please note: You will be dealing with plaintext private keys. Please be very careful and delete these after use. If these plaintext keys get lost, please change the certificates and keys on the proxy to avoid a security/integrity compromise.
Extracting the private key from the Proxy:
In this example we will extract the self-signed key from the proxy. If another certificate is used, please substitute the appropriate entries.
1. Enter the proxy management console via CLI (ssh / console cable)
2. Enter enable mode (en)
3. (optional) enter show ssl keyring to view a list of configured keyrings. Make a note of the keyring ID being used in the reverse proxy (this can also be checked from the GUI under proxy services)

4. Enter the command show ssl keypair unencrypted selfsigned. Substitute the “selfsigned” keyword for your own keyring ID. The proxy will output the key in the form:
—–BEGIN RSA PRIVATE KEY—–
…
—–END RSA PRIVATE KEY—–
5. Copy and paste the key (including the BEGIN RSA and END RSA lines) in notepad and store in a safe place as a .pem file

The rest of the procedure follows the normal SSL decryption. This link is a very good short and sweet explanation with screenshots:

http://htluo.blogspot.com/2009/01/decrypt-https-traffic-with-wireshark.html

Update: Here’s the link for the KB article in bluecoat which I wrote. Same as above.

https://kb.bluecoat.com/index?page=content&id=FAQ936