Decrypt client-side SSL traffic in Wireshark generated by Java HttpsURLConnection

Question

I am trying to use a GUI Java program written by someone else that is not behaving as I would expect. In the course of the program's operations, it contacts a server to pull data down, but it's not displaying the correct data. I am trying to establish whether the problem I am experiencing is network-related --- i.e. the right bits are never making it to the client.

Looking through the source code of the Java program, it appears to be using the HttpsURLConnection class to pull data from the server over SSL. What I would like to be able to do is inspect what is happening on the wire using Wireshark. My understanding is that Wireshark supports decrypting some SSL traffic if you have the relevant key(s). I do not control the server and so cannot access its private key. I do however control the client the program is running on. My question is, how in practice would I configure wireshark to decrypt the SSL traffic for the scenario I have just described? Is there a specific key HttpsURLConnection uses that I can add to Wireshark? Is there something else?

I should note that I have considered simply adding logging into the Java code base, but would ultimately prefer the ground truth of a packet capture over logging, as I might miss/omit something important in the logging of a code base I don't fully understand.

Answer 1

As you don't have access to the server private key Wireshark can not be used for decrypting directly.

Even with the private key Wireshark can not decrypt the traffic in case a cipher with perfect forward secrecy (PFS) is used.

What you need is a Man-in-The-Middle proxy that acts like an SSL server from your application's perspective and from the server's perspective it works like the client.

The are a lot of programs who can operate as proxy, e.g Fiddler on .Net/Windows, Webscarab or BurpSuite (Java). For all those programs you need to export their used server certificate and add it as trusted certificate to your program e.g. by specifying a suitable trust store on command-line wehn starting your app (see Java property javax.net.ssl.trustStrore).