04-23-202101:50 PM - last edited on 10-28-202103:09 PM by kh-cathy29811
If you find yourself in a situation where you are not using the client and need to know exactly what to bypass in SSL Decryption policy or Steering Exceptions, you can use the following to quickly determine what domains you need to focus on.
Netskope relies on private keys in order to determiner the URLs for any HTTP traffic that has been encrypted using TLS. If you don't have the private keys, you can query the SNI from the certificate exchange for the domains being called.
To do this, simply capture a successful application session using Wireshark then run the following command against the PCAP to pull the domains from the SNI in the certificate exchanges.
tshark -r ~/file.pcapng -T fields -e tls.handshake.extensions_server_name | sed ‘/^$/d’
This will produce a list separate from the below example:
This output can now be used to better inform any SSL Bypass or Steering Exceptions needed to accommodate the your use case.
Thanks to Samuel Shiflett for the creative idea below. We can also query the Subject Alternate Name list for any site that we want to know what domains to focus on. A quick and dirty way is to use openssl as follow.