HTTPS Decryption


I noticed the issue of decrypting HTTPS was mentioned several times over the years (with the last time back in 2015 I think - and was wondering if this feature was ever added or if anyone was able to successfully implement it.

Thanks a lot.

No, not to my knowledge. There were several people who wanted to implement
it over the years - if someone did it, they never open-sourced it.

That being said - due to the prevalence of perfectly forward secure
ciphers, TLS decryption is not really an option anymore in most use-cases.


Thanks Johanna. But I was actually looking at the use case where you terminated PFS at a load balancer (or other device at the perimeter) and used upstream SSL (non PFS) to the backend servers.

Would it be possible to forward SSL packets to viewssld - - and then back to Bro?


Oh - sorry, I misunderstood the question. In any case - no, as far as I
know, no one has done exactly what I said in the original thread
(stripping encryption while keeping the framing intact). That would need
modifications to Bro; nothing changed since the thread you linked to.

I don't jnow viewssld; if it outputs just a decrypted HTTP stream, Bro
will pick it up by itself. There are a number of people that just use Bro
behind a SSL terminator, which is kind of similar conceptually. If it
outputs some other format, you will have to adjust the Bro protocol