IIS 7 and Above
SSL session key logging
Last post Jan 15, 2019 02:18 AM by lextm
Jan 09, 2019 02:42 AM|anoop.ekk.nair|LINK
We've a requirement to decrypt and inspect the https traffic from IIS.
Currently our monitoring solution is capable of doing this for https sessions which uses a RSA cipher for key exchange, provided the server's private key is made available to it. But when the cipher used is a variant of Diffie-Hellman there is no way to
do so as this offers perfect forward secrecy and with the server's private key alone the traffic cannot be decrypted. My solution can decrypt the traffic if the session key corresponding to the session id or client random is provided to it. I would like to
know if there is a way to extract the session key of the https transactions form ISS server[either through logs or through a plugin or by any other means.]
Jan 10, 2019 05:58 AM|Jalpa Panchal|LINK
IIS does not provide any feature to decrypt and inspect https traffic ,you may use external tool like fiddler or Wireshark.
Jan 10, 2019 06:05 AM|anoop.ekk.nair|LINK
Even with fiddler or wireshark, to decrypt the SSL traffic which involves Diffie-Hellman key exchange we need to provide the session keys. My query is Is there a way to extract the SSL session keys from IIS?
Jan 11, 2019 09:05 AM|Jalpa Panchal|LINK
We couldn't extract the SSL session keys from IIS.
Jan 12, 2019 04:17 AM|lextm|LINK
Please buy commercial solutions if possible. Ask Google and there are many options.
If you truly need to develop your own solution, please learn about HTTPS man-in-the-middle attack. You should use that to implement your own HTTPS proxy (Fiddler uses the same trick) where you can easily decrypt the traffic and perform monitoring.
Your current monitoring solution sounds like something on the wrong track.
Jan 14, 2019 04:22 AM|anoop.ekk.nair|LINK
I don't intend to introduce a proxy for monitoring purpose.
The solution that we have is a completely non-invasive sniffer based one.
I understand it is technically not feasible to decrypt ssl transactions involving DH key exchange using a completely non-invasive solution, but would like to keep it that way as much as possible. Hence I don't want to introduce proxy, instead trying to figure
out a way to extract the session keys from web servers. As IIS don't provide a way to do this, I am thinking about developing a plugin that would intercept the handshake negotiation of IIS and extract the session keys. Came across Detours - Microsoft's open
source framework for intercepting windows API. Any inputs related to this approach would be of much help.
Jan 15, 2019 02:18 AM|lextm|LINK
I am thinking about developing a plugin that would intercept the handshake negotiation of IIS and extract the session keys.
That's impossible at IIS level, as IIS don't handle any SSL part. All encryption related operations are delegated to Windows security component, aka SChannel https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations