1

I'm trying to capture traffic from Insomnia for debugging an API, since the traffic is HTTPS I need the keylog generated by insomnia when it does the handshake with the server so I can see the traffic in plain text.

There is no documentation about that, at least I couldn't find it.

What I do for that purpose, for instance, in Firefox is configure the ssl key log file, so when FF connects to an HTTPS site, I can capture the traffic in Wireshark and see the plain HTTP requests/responses (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format).

How can I log the keys used in the SSL/TLS handshake from Insomnia for the same purpose? Thanks.

Pablo Pazos
  • 3,080
  • 29
  • 42
  • You might want to do a little reverse engineering to determine the SSL/TLS library used by the application. If it is openssl then [this](https://security.stackexchange.com/a/80174/662) provides some details for getting the keys depending on which openssl version. You might also just try launching the app from a process or shell with the environment variable `SSLKEYLOGFILE` set to the path of a file to receive keys. If that file starts getting filled with keys as you use the app then you know it supports SSLKEYLOGFILE. – President James K. Polk Aug 16 '21 at 21:47
  • Thanks @PresidentJamesK.Polk this is a JS application, mostly written in typescript, which I'm not familiar with. I checked the package dependency declaration and couldn't find anything related with SSL. https://github.com/Kong/insomnia/tree/develop – Pablo Pazos Aug 18 '21 at 04:33

1 Answers1

1

It appears this has already been implemented in insomnia.

In my case, once I defined a file path using SSLKEYLOGFILE, the file was only populated after opening insomnia in the same terminal, then making a request.

Opening insomnia via the GUI doesn't seem to take into account the SSLKEYLOGFILE.

myol
  • 8,857
  • 19
  • 82
  • 143