Howto decrypt SSL traffic with BorderManager or iChain

(Last modified: 15Apr2005)

This document (10097349) is provided subject to the disclaimer at the end of this document.

fact

iChain 2.3

iChain 2.2

BorderManager 3.8

Decrypting SSL traffic

Troubleshooting iChain or BorderManager SSL issues

Troubleshooting iChain or BorderManager Authentication issues

symptom

Howto decrypt SSL traffic with BorderManager or iChain

fix

Use ssldump. Multiple options exist to decrypt SSL traffic and most are limited to the client/browser side ie. you can unencrypt the data to and from the client but not necessarely to the back end Web server. ssldump will allow you to decrypt SSL traffic on both the client and server side assuming the correct keys exist.

Existing client options:

1. ieHTTPHeaders -  ieHTTPHeaders is an Explorer Bar for Microsoft Internet Explorer that will display the HTTP Headers sent and received by Internet Explorer as you surf the web, regardless of whether you are accessing HTTP or HTTPS data. It can be useful in debugging various web-development problems related to cookies, caching, etc. The plug in and documentation is available from http://www.blunck.info/iehttpheaders.html. This tool is extremely useful for looking at the HTTP headers but cannot be used to view any of the HTTP data (often important for iChain when dealing with rewriter issues).

2. Mozilla LiveHTTPHeaders - does the same as ieHTTPHeaders above but on the Firefox and Mozilla platforms. The plug in and documentation for this tool is available from http://livehttpheaders.mozdev.org/. This tool is extremely useful for looking at the HTTP headers but cannot be used to view any of the HTTP data (often important for iChain when dealing with rewriter issues).

3. Netscape option to enable NULL encryption. When doing an SSL handshake between and SSL client and Server, the SSL client hello request normally identifies the encryption and compression algorithms supported by the client. The server will then respond with the SSL server hello and agree on the encryption and compression algorithms. By editing the encryption ciphers under Edit -> Preferences -> Privacy and Security -> SSL -> Edit Ciphers, one can force the client to only offer no encryption in the SSL client hello part of the SSL handshake (disable all encryption types except the No encryption with RSA AUthentication and a SHA1 MAC or MD5 MAC). The end result is that the server will come back and offer NULL encryption and an ethereal or LAN trace will include legible data. Note that the ethereal or LAN trace will show up the data as SSL data but looking at the Ascii dump will show valid HTTP GET/POST/CONNECT/HEAD/etc requests and responses. Unlike the two tools mentioned above, this will allow administrators to view HTTP headers as well as HTTP data.

It is possible to enable NULL encryption on the back end servers too so that they return NULL encryption in the SSL server hello response. When this is enabled, LAN traces taken capturing traffic to and from the back end Web server will show HTTP data. The advantage of this is that you can now, with the above tools, access the HTTP data when SSL is setup from the browser/client to the back end Web server through our intermediate proxy. To set this up, you will need to do the following for the most common back end Web servers:

a) IIS -  edit the SCHANNEL\Ciphers\NULL Subkey and change it from the default 0x0 to 0xffffffff. Refer to http://support.microsoft.com/?kbid=245030 for more details on the various SCHANNEL settings that are used by SSL on IIS

b) Apache - edit the SSLCipherSuite variable in the configuration file to do NULL encryption. Refer to http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite for more details on setting this up with Apache. This Apache directive can be applied at the server level, or per directory.

NOTE THAT THESE settings will make secure and sensitive data visible when set. It is not recommended to use any of these unless you have full control over who accesses the server, and the server data is not considered sensitive. Considering that these previously stated cases are not appropriate in iChain, or even BorderManager environments, it is not recommended to use this. A better approach would be to use ssldump.

4. SSLDUMP - a utility that exists on both the Windows and Linux platforms to dump SSL data on a network to a file or console. To dump the content of the SSL headers during a handshake, one need just run the ssldump with the following parameters:

- ssldump -i <interface_name> -A -N -x expression

where

-A  prints all record fields (by default ssldump chooses the most interesting fields);
-N attempts to parse ASN.1 when it appears, such as in certificates and DNs;
-x prints each record in hex, as well as decoding it and
expression  selects what packets ssldump will examine. Technically speaking, ssldump supports the full expression syntax from PCAP and tcpdump, and is well documented at http://winpcap.cs.pu.edu.tw/docs/docs31beta4/html/group__language.html. Some basic examples of expressions include host <host>, port <port> which allow you capture traffic to a defined host or port.

A sample output of the output of this command is shown below - the browser was just attempting to hit https://www.verisign.com when the capture was taken (note that the packet data was removed to avoid eating up pages of space!). Note that it is verify useful for verifying server certificate decodes when an SSL handshake fails. You can view the server certificate attributes too and whether it was signed by an intermediate or trusted root.

# ssldump -i eth0 -A -N -x host www.verisign.com > sslhand.out output ...

New TCP connection #1: L14.suse.de(33888) <-> www.verisign.net(443)

1 1 0.2014 (0.2014) C>S SSLv2 compatible client hello
Version 3.1
cipher suites // Cipher suites being sent by the client ie. encryption algorithms it can support
SSL2_CK_RC4
SSL2_CK_RC2
SSL2_CK_3DES
SSL2_CK_DES
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
Unknown value 0x33
Unknown value 0x32
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Unknown value 0x2f
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
Packet data[105]=
80 67 01 03 01 00 4e 00 00 00 10 01 00 80 03 00
...............................

1 2 0.4087 (0.2072) S>CV3.0(2615) Handshake
ServerHello
Version 3.0
random[32]=
00 00 45 42 ea 2b 5a 67 aa 42 4c 6c d4 0e f1 cb
72 d9 75 63 d7 11 03 79 32 52 84 7f 62 7a 3e 1c
session_id[32]=
47 14 58 1f 65 99 e3 3c 7b f6 af c0 db a0 c3 ff
e8 3d 0b fd 3f 98 1f 6d 23 ae eb b4 b3 3f 6f 8d

cipherSuite SSL_RSA_WITH_RC4_128_MD5 // encrypton type that server has agreed to use
compressionMethod NULL // compression algorithm that server has agreed to use

Certificate // Certificate decode)
Subject
C=US
ST=California
L=Mountain View
O=VeriSign, Inc.
OU=Production Services
OU=Terms of use at www.verisign.com
rpa (c)00
CN=www.verisign.com
Issuer
O=VeriSign Trust Network
OU=VeriSign, Inc.
OU=VeriSign International Server CA - Class 3
OU=www.verisign.com
CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Serial 3c 36 1d 05 ed 01 53 77 93 4c 49 e5 ec b0 b5 bf
Extensions
Extension: X509v3 Basic Constraints
Extension: X509v3 Key Usage
Extension: X509v3 CRL Distribution Points
Extension: X509v3 Certificate Policies
Extension: X509v3 Extended Key Usage
Extension: Authority Information Access
Subject
O=VeriSign Trust Network
OU=VeriSign, Inc.
OU=VeriSign International Server CA - Class 3
OU=www.verisign.com
CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issuer
C=US
O=VeriSign, Inc.
OU=Class 3 Public Primary Certification Authority
Serial 25 4b 8a 85 38 42 cc e3 58 f8 c5 dd ae 22 6e a4
Extensions
Extension: X509v3 Basic Constraints
Extension: X509v3 Certificate Policies
Extension: X509v3 Extended Key Usage
Extension: X509v3 Key Usage
Extension: Netscape Cert Type
Extension: X509v3 CRL Distribution Points
Subject
C=US
O=VeriSign, Inc.
OU=Class 3 Public Primary Certification Authority
Issuer
C=US
O=VeriSign, Inc.
OU=Class 3 Public Primary Certification Authority
Serial 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
Certificate[576]=
30 82 02 3c 30 82 01 a5 02 10 70 ba e4 1d 10 d9
........................................

ServerHelloDone
Packet data[2620]=
16 03 00 0a 37 02 00 00 46 03 00 00 00 45 42 ea
.........................................

 1 3 0.4262 (0.0175) C>SV3.0(132) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
4d fd be e6 34 91 05 2a 6d b0 ff ec 73 b7 37 4b
76 e8 b8 32 31 c8 c4 f3 b4 40 51 3e 03 14 91 56
26 bd e6 ae f6 7e a5 fb dc 4f 2a eb fc 48 68 b1
d5 04 09 17 d8 1b c6 5a d1 70 70 7f 42 8e 6a b2
3a 9f 2c 6a 9e 3e ee c0 c3 d2 f8 92 57 19 89 2d
6f de 9f 31 b3 1c 87 04 b5 72 98 e9 c9 b0 49 2c
22 6d ed 35 05 88 50 2f cb fe 09 d1 e8 5a 62 a9
ae 89 19 39 ff 1e f7 c8 48 d2 9a bf a5 7d 16 d3
Packet data[137]=
16 03 00 00 84 10 00 00 80 4d fd be e6 34 91 05
...............................

1 4 0.4262 (0.0000) C>SV3.0(1) ChangeCipherSpec
Packet data[6]=
14 03 00 00 01 01 

1 5 0.4262 (0.0000) C>SV3.0(56) Handshake
Packet data[61]=
16 03 00 00 38 cf d4 65 60 cc 0b 3d c3 9e 92 f2
...................................

1 6 0.6695 (0.2433) S>CV3.0(1) ChangeCipherSpec
Packet data[6]=
14 03 00 00 01 01 

1 7 0.6695 (0.0000) S>CV3.0(56) Handshake
Packet data[61]=
16 03 00 00 38 fe 65 22 a4 22 5f 93 93 a9 bf a1
..............................

1 8 0.6703 (0.0007) C>SV3.0(423) application_data
Packet data[428]=
17 03 00 01 a7 02 91 14 bb 50 d1 4a 64 5e c1 26
..................

1 9 0.8838 (0.2134) S>CV3.0(253) application_data
Packet data[258]=
17 03 00 00 fd 8d 57 b0 b0 23 a8 aa b8 9b cb a2
............................

 

The next stage is to be able to decrypt the SSL data. When modifying the ciphers in the previous step (step 3), one could but the security of the entire Web site at risk by changing the ciphers. Buy using ssldump however, one can simply import the pkcs12 certificate (including the private key) into the ssldump tool and decode the actual SSL encrypted data. In the following example, I backed up and exported the server certificate used on my iChain accelerator (neildgi.pfx). The key used by ssldump is in a PEM encoded format so one needs to convert from PFX to PEM using openssl first.

# openssl pkcs12 -in neildgi.pfx -out neildgi.pem

A pem formated certificate that includes the private key will now be created (neidgi.pem). Note that you will be asked for an input passphrase (the password you exported the server certificate with) and an export passphrase that you will use with ssldump eg. novell. Now that we have the certificate that includes the private key in the PEM format needed by ssldump, we can start decrypting data. The ssldump command that I used for decrypting the data is the following:

ssldump -i eth0 -A -d -X -k neildgi.pem -p novell host ncbm38.dub.novell.com > ssldump.out

where

-A  prints all record fields (by default ssldump chooses the most interesting fields);
-d  displays the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode application data traffic _before_ the SSL session initiates. This allows you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP connection, this allows you to use ssldump to sniff any TCP connection. ssldump will automatically detect ASCII data and display it directly to the screen. non-ASCII data is displayed as hex dumps
-X formats the data. When the -d option is used, binary data is automatically printed in two columns with a hex dump on the left and the printable characters on the right. -X suppresses the display of the printable characters, thus making it easier to cut and paste the hext data into some other program. -y Decorate the output for processing with troff. Not very useful for the average user.
-k uses keyfile (the private key of the certificate being used) as the location of the SSL keyfile (OpenSSL format which we converted to)
-p defines the password used for the above keyfile
host ncbm38.dub.novell.com is the name of the iChain server accelerator we are filtering ssl data from
ssldump.out is the name of the output file I am writing the data too

The output of the above command returns the following (I have left out the SSL handshake dump which is also displayed in the output file and just focused on the application data)

....................................

1 7 0.0205 (0.0000) C>SV3.0(56) Handshake
Finished
md5_hash[16]=
71 7d 03 41 70 63 3d 46 49 0b 3e 9c 51 d3 e4 60
sha_hash[20]=
9e 72 0a e7 ad 71 6a d2 df f0 04 f1 5f b6 67 b8
8f e8 69 67

1 8 0.1177 (0.0971) S>CV3.0(1) ChangeCipherSpec

1 9 0.1177 (0.0000) S>CV3.0(56) Handshake
Finished
md5_hash[16]=
f9 c1 d0 65 47 a7 bc 5f 5f 90 3b 54 0c f4 ad 0c
sha_hash[20]=
e7 6d ba b9 0d 8f bc 3c 78 40 1c 57 19 6d b3 6a
93 8b 01 f5

1 10 0.1182 (0.0005) C>SV3.0(633) application_data
---------------------------------------------------------------
GET /ICSLogin/p0.gif HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/ICSLogin/?%22https://ncbm38.dub.novell.com/%22
Cookie: s_sq=%5B%5BB%5D%5D; s_cc=true; Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

1 11 0.1278 (0.0095) S>CV3.0(959) application_data
---------------------------------------------------------------
48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d
..............................
---------------------------------------------------------------

1 12 2.1843 (2.0564) C>SV3.0(791) application_data
---------------------------------------------------------------

GET /ICSIBroker/?%22https://ncbm38.dub.novell.com/%22-T HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/ICSLogin/?%22https://ncbm38.dub.novell.com/%22
Cookie: Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; s_sq=%5B%5BB%5D%5D; s_cc=true; IPCZQX0148111af8=00000100047204002878c8da; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

1 13 2.1891 (0.0048) S>CV3.0(1684) application_data
---------------------------------------------------------------
48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75
....................................................
 

2 7 0.0202 (0.0000) C>SV3.0(705) application_data
---------------------------------------------------------------
GET /blank.html HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/
Cookie: Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; s_sq=%5B%5BB%5D%5D; s_cc=true;
PCZQX0148111af8=00000100047204002878c8da; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

2 8 0.0736 (0.0533) S>CV3.0(1524) application_data
---------------------------------------------------------------
HTTP/1.1 404 Not Found
Date: Fri, 15 Apr 2005 08:23:33 GMT
Server: Apache/2.0.49 (Linux/SuSE)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Content-Language: en
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1202
Via: 1.1 ncichain_server.hwlab.suse.de (iChain 2.3.270d)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:%5bno%20address%20given%5d" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>

<h1>Object not found!</h1>
<p>
The requested URL was not found on this server.
The link on the
<a href="https://ncbm38.dub.novell.com/">referring
page</a> seems to be wrong or outdated. Please inform the author of
<a href="https://ncbm38.dub.novell.com/">that page</a>
about the error.
</p>
<p>

If you think this is a server error, please contact
the <a href="mailto:%5bno%20address%20given%5d">webmaster</a>.
</p>

<h2>Error 404</h2>
<address>
<a href="/">glenfiddich.hwlab.suse.de</a><br />
<span>Fri Apr 15 10:23:33 2005<br />
Apache/2.0.49 (Linux/SuSE)</span>
</address>
</body>
</html>
---------------------------------------------------------------

2 9 0.0749 (0.0013) C>SV3.0(713) application_data
---------------------------------------------------------------
GET /welcome/blank.html HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/
Cookie: Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; s_sq=%5B%5BB%5D%5D; s_cc=true; IPCZQX0148111af8=00000100047204002878c8da; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

2 10 0.0845 (0.0095) S>CV3.0(368) application_data
---------------------------------------------------------------

HTTP/1.1 200 OK
Date: Fri, 15 Apr 2005 08:23:33 GMT
Server: Apache/2.0.49 (Linux/SuSE)
Last-Modified: Fri, 04 Feb 2005 00:42:12 GMT
ETag: "1a010-2a-c0d00100"
Accept-Ranges: bytes
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 42
Via: 1.1 ncichain_server.hwlab.suse.de (iChain 2.3.270d)

<html>
<body>
</body>
</html>

---------------------------------------------------------------
2 11 0.0855 (0.0009) C>SV3.0(655) application_data
---------------------------------------------------------------
GET /welcome/showhide_nw65.js HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/welcome/Header
Cookie: JSESSIONID=6299A9C248FBBF2C13846D3A0574FDD3; IPCZQX0148111af8=00000100047204002878c8da; s_sq=%5B%5BB%5D%5D; s_cc=true; Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

2 12 0.0954 (0.0099) S>CV3.0(2604) application_data
---------------------------------------------------------------

HTTP/1.1 200 OK
Date: Fri, 15 Apr 2005 08:23:33 GMT
Server: Apache/2.0.49 (Linux/SuSE)
Last-Modified: Fri, 04 Feb 2005 00:42:12 GMT
ETag: "1a062-8e8-c0d00100"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 2280
Via: 1.1 ncichain_server.hwlab.suse.de (iChain 2.3.270d)
var curImageID = "title"; //defines initial selected button
var curmenuID = "blank"; //defines initial menu being displayed
var curpageID = "mygroup"; //defines initial page being displayed
var timeoutID = null; //defined timeout variable to start and stop setTimeout() 

//array for all images
if (document.images)
{
//load images for swapping
var imageArray = new Array();
imageArray["title1"] = new Image(171,20);
imageArray["title2"] = new Image(171,20);
//set images URLs
imageArray["title1"].src = "images/NW65_title1.gif";
imageArray["title2"].src = "images/NW65_title2.gif";
}

function showhide(divID)
{
var element;
element = document.getElementById(divID);
if(element.style.display == "none")
{

element.style.display = "block";
}
else
{
element.style.display = "none";
}
}

---------------------------------------------------------------

2 13 0.1675 (0.0720) C>SV3.0(704) application_data
---------------------------------------------------------------

GET /welcome/images/NW65_title1.gif HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/welcome/Header
Cookie: JSESSIONID=6299A9C248FBBF2C13846D3A0574FDD3; IPCZQX0148111af8=00000100047204002878c8da; s_sq=%5B%5BB%5D%5D; s_cc=true; Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

2 14 0.1836 (0.0160) S>CV3.0(1361) application_data
---------------------------------------------------------------

48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d
..........................................................................

---------------------------------------------------------------

2 15 0.1854 (0.0017) C>SV3.0(645) application_data
---------------------------------------------------------------

GET /welcome/OES.js HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/welcome/Header
Cookie: JSESSIONID=6299A9C248FBBF2C13846D3A0574FDD3; IPCZQX0148111af8=00000100047204002878c8da; s_sq=%5B%5BB%5D%5D; s_cc=true; Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

2 16 0.1960 (0.0106) S>CV3.0(1193) application_data
---------------------------------------------------------------

HTTP/1.1 200 OK
Date: Fri, 15 Apr 2005 08:23:33 GMT
Server: Apache/2.0.49 (Linux/SuSE)
Last-Modified: Fri, 04 Feb 2005 00:42:12 GMT
ETag: "19fe5-366-c0d00100"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 870
Via: 1.1 ncichain_server.hwlab.suse.de (iChain 2.3.270d)
function linuxstart()
{
parent.content.getDIVs('linux','nw','sp3');
}

function nwstart()
{
parent.content.getDIVs('nw','linux','sp3');
}

function sp3start()
{
parent.content.getDIVs('sp3','nw','linux');
}

function getDIVs (prefixShow, prefixHide, otherHide)
{
var divs = document.getElementsByTagName("DIV");
if (divs != null)
{
var count = divs.length;
for(i=0; i<count; i++)
{
var div1;
var idName;
div1 = divs[i];
idName = div1.getAttribute("id");
//&& idName.lengh>0
if(idName != null)
{
if(idName.indexOf(prefixShow)==0)
{

//show this one
div1.style.display = "block";
}

if(idName.indexOf(prefixHide)==0)
{

//hide this one
div1.style.display = "none";
}

---------------------------------------------------------------

2 17 0.3818 (0.1857) C>SV3.0(672) application_data
---------------------------------------------------------------

GET /welcome/OES_style.css HTTP/1.1
Host: ncbm38.dub.novell.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://ncbm38.dub.novell.com/welcome/WelcomePage
Cookie: JSESSIONID=440BB1E9413BF279E257C2C0811B86CE; IPCZQX0148111af8=00000100047204002878c8da; s_sq=%5B%5BB%5D%5D; s_cc=true; Collections=%20%5BT%5D%5BD%5Din%20Advanced%20Selections%5BC%5DSupport%5BE%5D; iscookiesupported=true; novell_language=en-us; SUSE_Tab=services
---------------------------------------------------------------

2 18 0.3927 (0.0109) S>CV3.0(2873) application_data
---------------------------------------------------------------

HTTP/1.1 200 OK
Date: Fri, 15 Apr 2005 08:23:33 GMT
Server: Apache/2.0.49 (Linux/SuSE)
Last-Modified: Fri, 04 Feb 2005 00:42:12 GMT
ETag: "19fe6-a05-c0d00100"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 2565
Via: 1.1 ncichain_server.hwlab.suse.de (iChain 2.3.270d)

td.column1 p { line-height: 1.5em }
td.column2 p { font-size: 0.75em; line-height: 1.5em }
td.column2 .subhead1 { color: black; font-weight: bold; text-transform: uppercase; letter-spacing: 0.3em }
:

so, with no impact to the Web server in aproduction environment, one can troubleshoot Web issues where all the Web data is being transmitted over SSL.

.

document

Document Title: Howto decrypt SSL traffic with BorderManager or iChain
Document ID: 10097349
Solution ID: NOVL101771
Creation Date: 15Apr2005
Modified Date: 15Apr2005
Novell Product Class:iChain

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.