Share via

Export diffie hellman ephemeral session keys through schannel/IIS

hemant kumar 21 Reputation points
2021-07-12T11:12:55.877+00:00

The product that i work for monitors network traffic for our enterprise customers to come up with metrics for availability, performance and protocol level semantics.
We've a requirement to decrypt and inspect the https traffic from IIS.

Currently our monitoring solution is capable of doing this for https sessions which uses a RSA cipher for key exchange, provided the server's private key is made available to it. But when the cipher used is a variant of Diffie-Hellman there is no way to do so as this offers perfect forward secrecy and with the server's private key alone the traffic cannot be decrypted. My product can decrypt the traffic if the session key corresponding to the session id or client random is provided to it. I would like to know if there is a way to extract the session key of the https transactions form IIS server or schannel infrastructure.[either through logs or through a plugin or by any other means.]

A question asked by my colleague in the past for the same topic on the IIS forums is here
We know it is possible to do so, as can be seen in the documentation here

We want to know what could be the best way to get this done.
If this is not the correct forum to answer this question, please point me to the correct one.

Thanks a ton

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | Other
Accepted answer
  1. Anonymous
    2021-07-13T08:00:47.427+00:00

    Hi,
    I did some research but I didn’t find any official documents about this issue.
    Based on my understanding, for better support I would suggest that you raise a MS support ticket. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below.
    Global Customer Service phone numbers:
    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

    Thanks for your understanding.
    Best regards,
    Danny

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. hemant kumar 21 Reputation points
    2021-07-20T06:28:42.353+00:00

    Thanks Danny for getting back and letting me know the preferred option to take it further. I have opened a support case with MS and am following up on the same. I was stuck with other things on my plate so couldn't respond back sooner. Thanks once again.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.