Can you check/monitor the client certificates sent in requests using Wireshark?

GrowinMan picture GrowinMan · Aug 1, 2014 · Viewed 13.4k times · Source

I'm able to make HTTP requests on my local host using client certificates.

I have some logic in my code that can make two requests use the same certificate for their requests, or not, depending on certain conditions.

My localhost is currently pointing to the default 'Welcome to IIS' page.

Is there any way to use Wireshark to detect if the client certificates that are being sent from my machine in separate requests are the same or not?

PS: If someone can suggest a better way of achieving what I'm trying to do here, that'd work as well. I don't necessarily need to use Wireshark. My main objective is to figure if two different requests are sending the same cert or not, as I've mentioned here: How do I monitor client certs that are being sent via the requests?

Thanks!

Answer

GrowinMan picture GrowinMan · Aug 5, 2014

I found a way to do this. This guide helped, in summary, yes, you can use Wireshark to examine what client certificates are being sent from the client (or received on the server).

You need to start capturing traffic on Wireshark, only for the period of time when the request(s) is made and processed, and then add the appropriate filters to filter based on the protocol. In my case, I filtered it based on the IP address of the sender and receiver because I knew both.

You'll need the server's certificate to decrypt the messages because they'll be transmitted in encrypted format. You can easily do that by going to Edit -> Preferences. Select Protocols from the menu on the left -> SSL -> Click edit. Add the server's cert and IP, and save the settings.