0

I am a novice with networking and unix and trying to debug an issue but I have been able to capture packets using tshark in order to analyze and inspect why clients are receiving 401 errors on initial connect. The quick solution is to not enforce https but this is a production server and is not an option. This server runs behind an HAProxy and uses https so the packets are encrypted. I have searched online for ways to decrypt and found some examples but each leads to some sort of error that cannot be debugged. For example: - One suggestion is to create the RSA cert and key pair - run the server - capture traffic from another session

tshark -r ssltest.pcap -V -x -o "ssl.debug_file:ssldebug.log" -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:127.0.0.1,4443,http,server.pem"

this is supposed to decrypt the packets but what I find is more detail in the output but no readable information like header info.

unixFirstTimer
  • 1
  • Take a look at this related question: https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites – Pierz Dec 11 '18 at 10:41

1 Answers1

0

HTTP 401 response code means that the HTTP basic authentication failed for the resource. So, your users are requesting resources that need HTTP authentication but they haven't given the correct credentials.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • I realize that but we have been back and forth with the user about this and they insist they are using the credentials. This attempt to decrypt would be ample evidence if we can show no credentials. I am at my wits end here because even using a script outside our network did not duplicate their situation. – vbNewbie Oct 11 '16 at 18:28