Overview Screenshots Download Quick Start Tutorials F.A.Q. Contact     

WorkShop n°13 : Monitoring a java client program HTTPS communication

In this workshop we are going to monitor (and debug) a simple java client program's SSL communication.

In order to monitor the secured communication, TcpCatcher is going to behave like an SSL server in the middle. Since TcpCatcher's server certificate won't match target server we will have to turn off certificate chain validation at client level.

  • Let's suppose we have a java client program that is retrieving a web page using HTTPS and an URLConnection.

  • Let's start TcpCatcher with default settings but check the 'Monitor SSL' and 'static certificate' options

  • Now TcpCatcher has opened its own SSL server in the middle with its own server certificate.
    We need to do few little changes in our client program in order to be able to monitor this communication :
    First, we need to tell the program to use TcpCatcher as a proxy.
    Second, since the server certificate received won't be trusted and won't match target server name, we'll need to turn off certificate chain validation at client level. This can be achieved simply with a custom javax.net.ssl.HostnameVerifier and a custom javax.net.ssl.X509TrustManager.
    Here is the new code :

  • Let's run new client program and now the HTTPS communication can be monitored (and interfered) at network level

  • [Coming soon: no change in client code with new TcpCatcher options..]