Decrypting TLS Traffic with eBPF

HTTPS protects traffic by running HTTP over TLS. TLS encrypts data before it reaches TCP and decrypts it after TCP delivers it, so packets on the wire contain ciphertext rather than application data.

A common way to inspect HTTPS traffic is to run a man-in-the-middle proxy, install its CA certificate on the client, and route traffic through it. This works for many browsers and tools, but it often fails for applications that use certificate pinning. In that case, the application rejects the proxy certificate even if the local system trusts it.

An alternative is to observe data inside the process, before TLS encrypts outbound bytes or after TLS decrypts inbound bytes. eBPF can attach probes to user-space TLS library functions, such as OpenSSL read/write paths, and copy the plaintext buffers at those boundaries.

The useful boundary looks like this:

application plaintext
        ↓
TLS library encrypt/decrypt   ← eBPF probes here
        ↓
TCP socket ciphertext

This does not break TLS on the network. It captures plaintext at the endpoint, where the process already has access to it.

For a minimal demo, bpftrace is enough. I keep an example in this repo: https://github.com/wilkice/ebpf-tour.