12-17-2017 12:47 PM - edited 03-08-2019 07:42 PM
Hello dear wsa security fans,
on my WSA (AsyncOS 10.5.1-296) I configured HTTPS proxy — using Intermediate CA (uploaded private key & certificate), as you can see on attached screenshot.
My question is where can I export RSA private key, which WSA uses for inner communication with clients, the private key, whose public key is used in the dynamicaly generated mimic certificate.
Thanks.
12-17-2017 12:49 PM
I tried XML config export, but the key from my question is not included there.
12-19-2017 03:48 AM
Hello,
WSA doesn't provide a mechanism to export private keys as this will be a security hole if this is allowed. Also, in case of other encryption mechanism keys are setup for each session, so exporting keys will not help.
Since you want keys from WSA, I am assuming you want to decrypt the https content again, what is your use case to do that? In next release of WSA, we are adding a Web Traffic Tap feature that will enable customers to configure the tap interface to copy the decrypted traffic out. This can be used for offline passive analysis of the traffic.
Let me know in case you need any further information.
Thanks
Sapan
01-29-2018 04:05 AM
Sapan hi,
You right, I'm looking for various scenarios for pasive SSL/TLS decryption. This can be done, if SSL/TLS leg between client and proxy doesn't use PFS. Meantime, I got info, that WSA can't setup ciphers independently for leg between client-proxy, and leg between proxy-web_server, so this is another show stopper for me.
However, new feature – traffic tap – will be solution I'm looking for.
Thanks.
06-01-2018 08:48 AM
Hello Sapan,
Does the TAP feature is in the actual release of WSA?
Else, do you know when it will be available?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide