.. _mozilla_projects_nss_tools_ssltap: NSS tools : ssltap ================== .. container:: | Name | ssltap — Tap into SSL connections and display the data going by | Synopsis | libssltap [-vhfsxl] [-p port] [hostname:port] | Description | The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It | watches TCP connections and displays the data going by. If a connection is | SSL, the data display includes interpreted SSL records and handshaking | Options | -v | Print a version string for the tool. | -h | Turn on hex/ASCII printing. Instead of outputting raw data, the | command interprets each record as a numbered line of hex values, | followed by the same data as ASCII characters. The two parts are | separated by a vertical bar. Nonprinting characters are replaced | by dots. | -f | Turn on fancy printing. Output is printed in colored HTML. Data | sent from the client to the server is in blue; the server's reply | is in red. When used with looping mode, the different connections | are separated with horizontal lines. You can use this option to | upload the output into a browser. | -s | Turn on SSL parsing and decoding. The tool does not automatically | detect SSL sessions. If you are intercepting an SSL connection, | use this option so that the tool can detect and decode SSL | structures. | If the tool detects a certificate chain, it saves the DER-encoded | certificates into files in the current directory. The files are | named cert.0x, where x is the sequence number of the certificate. | If the -s option is used with -h, two separate parts are printed | for each record: the plain hex/ASCII output, and the parsed SSL | output. | -x | Turn on hex/ASCII printing of undecoded data inside parsed SSL | records. Used only with the -s option. This option uses the same | output format as the -h option. | -l prefix | Turn on looping; that is, continue to accept connections rather | than stopping after the first connection is complete. | -p port | Change the default rendezvous port (1924) to another port. | The following are well-known port numbers: | \* HTTP 80 | \* HTTPS 443 | \* SMTP 25 | \* FTP 21 | \* IMAP 143 | \* IMAPS 993 (IMAP over SSL) | \* NNTP 119 | \* NNTPS 563 (NNTP over SSL) | Usage and Examples | You can use the SSL Debugging Tool to intercept any connection | information. Although you can run the tool at its most basic by issuing | the ssltap command with no options other than hostname:port, the | information you get in this way is not very useful. For example, assume | your development machine is called intercept. The simplest way to use the | debugging tool is to execute the following command from a command shell: | $ ssltap www.netscape.com | The program waits for an incoming connection on the default port 1924. In | your browser window, enter the URL http://intercept:1924. The browser | retrieves the requested page from the server at www.netscape.com, but the | page is intercepted and passed on to the browser by the debugging tool on | intercept. On its way to the browser, the data is printed to the command | shell from which you issued the command. Data sent from the client to the | server is surrounded by the following symbols: --> [ data ] Data sent from | the server to the client is surrounded by the following symbols: "left | arrow"-- [ data ] The raw data stream is sent to standard output and is | not interpreted in any way. This can result in peculiar effects, such as | sounds, flashes, and even crashes of the command shell window. To output a | basic, printable interpretation of the data, use the -h option, or, if you | are looking at an SSL connection, the -s option. You will notice that the | page you retrieved looks incomplete in the browser. This is because, by | default, the tool closes down after the first connection is complete, so | the browser is not able to load images. To make the tool continue to | accept connections, switch on looping mode with the -l option. The | following examples show the output from commonly used combinations of | options. | Example 1 | $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt | Output | Connected to interzone.mcom.com:443 | -->; [ | alloclen = 66 bytes | [ssl2] ClientHelloV2 { | version = {0x03, 0x00} | cipher-specs-length = 39 (0x27) | sid-length = 0 (0x00) | challenge-length = 16 (0x10) | cipher-suites = { | (0x010080) SSL2/RSA/RC4-128/MD5 | (0x020080) SSL2/RSA/RC4-40/MD5 | (0x030080) SSL2/RSA/RC2CBC128/MD5 | (0x040080) SSL2/RSA/RC2CBC40/MD5 | (0x060040) SSL2/RSA/DES64CBC/MD5 | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 | (0x000004) SSL3/RSA/RC4-128/MD5 | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA | (0x000009) SSL3/RSA/DES64CBC/SHA | (0x000003) SSL3/RSA/RC4-40/MD5 | (0x000006) SSL3/RSA/RC2CBC40/MD5 | } | session-id = { } | challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3 | 0x2592 } | } | ] | <-- [ | SSLRecord { | 0: 16 03 00 03 e5 \|..... | type = 22 (handshake) | version = { 3,0 } | length = 997 (0x3e5) | handshake { | 0: 02 00 00 46 \|...F | type = 2 (server_hello) | length = 70 (0x000046) | ServerHello { | server_version = {3, 0} | random = {...} | 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 \| | wn&l.ì..XOG.-.E | 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f \| | \.uC§L.Ç.d [ | SSLRecord { | 0: 16 03 00 00 44 \|....D | type = 22 (handshake) | version = { 3,0 } | length = 68 (0x44) | handshake { | 0: 10 00 00 40 \|...@ | type = 16 (client_key_exchange) | length = 64 (0x000040) | ClientKeyExchange { | message = {...} | } | } | } | ] | --> [ | SSLRecord { | 0: 14 03 00 00 01 \|..... | type = 20 (change_cipher_spec) | version = { 3,0 } | length = 1 (0x1) | 0: 01 \|. | } | SSLRecord { | 0: 16 03 00 00 38 \|....8 | type = 22 (handshake) | version = { 3,0 } | length = 56 (0x38) | < encrypted > | } | ] | <-- [ | SSLRecord { | 0: 14 03 00 00 01 \|..... | type = 20 (change_cipher_spec) | version = { 3,0 } | length = 1 (0x1) | 0: 01 \|. | } | ] | <-- [ | SSLRecord { | 0: 16 03 00 00 38 \|....8 | type = 22 (handshake) | version = { 3,0 } | length = 56 (0x38) | < encrypted > | } | ] | --> [ | SSLRecord { | 0: 17 03 00 01 1f \|..... | type = 23 (application_data) | version = { 3,0 } | length = 287 (0x11f) | < encrypted > | } | ] | <-- [ | SSLRecord { | 0: 17 03 00 00 a0 \|.... | type = 23 (application_data) | version = { 3,0 } | length = 160 (0xa0) | < encrypted > | } | ] | <-- [ | SSLRecord { | 0: 17 03 00 00 df \|....ß | type = 23 (application_data) | version = { 3,0 } | length = 223 (0xdf) | < encrypted > | } | SSLRecord { | 0: 15 03 00 00 12 \|..... | type = 21 (alert) | version = { 3,0 } | length = 18 (0x12) | < encrypted > | } | ] | Server socket closed. | Example 2 | The -s option turns on SSL parsing. Because the -x option is not used in | this example, undecoded values are output as raw data. The output is | routed to a text file. | $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt | Output | Connected to interzone.mcom.com:443 | --> [ | alloclen = 63 bytes | [ssl2] ClientHelloV2 { | version = {0x03, 0x00} | cipher-specs-length = 36 (0x24) | sid-length = 0 (0x00) | challenge-length = 16 (0x10) | cipher-suites = { | (0x010080) SSL2/RSA/RC4-128/MD5 | (0x020080) SSL2/RSA/RC4-40/MD5 | (0x030080) SSL2/RSA/RC2CBC128/MD5 | (0x060040) SSL2/RSA/DES64CBC/MD5 | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 | (0x000004) SSL3/RSA/RC4-128/MD5 | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA | (0x000009) SSL3/RSA/DES64CBC/SHA | (0x000003) SSL3/RSA/RC4-40/MD5 | } | session-id = { } | challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c | 0x3fd0 } | ] | >-- [ | SSLRecord { | type = 22 (handshake) | version = { 3,0 } | length = 997 (0x3e5) | handshake { | type = 2 (server_hello) | length = 70 (0x000046) | ServerHello { | server_version = {3, 0} | random = {...} | session ID = { | length = 32 | contents = {..} | } | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 | } | type = 11 (certificate) | length = 709 (0x0002c5) | CertificateChain { | chainlength = 706 (0x02c2) | Certificate { | size = 703 (0x02bf) | data = { saved in file 'cert.001' } | } | } | type = 12 (server_key_exchange) | length = 202 (0x0000ca) | type = 14 (server_hello_done) | length = 0 (0x000000) | } | } | ] | --> [ | SSLRecord { | type = 22 (handshake) | version = { 3,0 } | length = 68 (0x44) | handshake { | type = 16 (client_key_exchange) | length = 64 (0x000040) | ClientKeyExchange { | message = {...} | } | } | } | ] | --> [ | SSLRecord { | type = 20 (change_cipher_spec) | version = { 3,0 } | length = 1 (0x1) | } | SSLRecord { | type = 22 (handshake) | version = { 3,0 } | length = 56 (0x38) | > encrypted > | } | ] | >-- [ | SSLRecord { | type = 20 (change_cipher_spec) | version = { 3,0 } | length = 1 (0x1) | } | ] | >-- [ | SSLRecord { | type = 22 (handshake) | version = { 3,0 } | length = 56 (0x38) | > encrypted > | } | ] | --> [ | SSLRecord { | type = 23 (application_data) | version = { 3,0 } | length = 287 (0x11f) | > encrypted > | } | ] | [ | SSLRecord { | type = 23 (application_data) | version = { 3,0 } | length = 160 (0xa0) | > encrypted > | } | ] | >-- [ | SSLRecord { | type = 23 (application_data) | version = { 3,0 } | length = 223 (0xdf) | > encrypted > | } | SSLRecord { | type = 21 (alert) | version = { 3,0 } | length = 18 (0x12) | > encrypted > | } | ] | Server socket closed. | Example 3 | In this example, the -h option turns hex/ASCII format. There is no SSL | parsing or decoding. The output is routed to a text file. | $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt | Output | Connected to interzone.mcom.com:443 | --> [ | 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 \| .@....'......... | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@...... | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 \| ........á....... | 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 \| ..þ[V.I.\xd9 ...º¹R | 40: 6f 2d \|o- | ] | <-- [ | 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d \| ........F....... | 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b \| h.:y`..<..³.Òi; | 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 \| x.K.¦R.KFè. ... | 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 \| MR.ý..QH.....¶vw | 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b \| \*ô..¡.a¢d...... | 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 \| ..Å......0...0.. | 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 \| $ .......60...*. | 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 \| H.÷......0w1.0.. | 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 \| .U....US1,0*..U. | 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d \| ..#Netscape Comm | a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f \| unications Corpo | b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 \| ration1.0...U... | c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 \| .Hardcore1'0%..U | d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 \| ....Hardcore Cer | e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 \| tificate Server | f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 \| II0...9805160103 | | ] | | Server socket closed. | Example 4 | In this example, the -s option turns on SSL parsing, and the -h option | turns on hex/ASCII format. Both formats are shown for each record. The | output is routed to a text file. | $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt | Output | Connected to interzone.mcom.com:443 | --> [ | 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 \| .=....$......... | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@...... | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 \| ........á....... | 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 \|U..yÇ\xb0 ,.x.]µÏé | alloclen = 63 bytes | [ssl2] ClientHelloV2 { | version = {0x03, 0x00} | cipher-specs-length = 36 (0x24) | sid-length = 0 (0x00) | challenge-length = 16 (0x10) | cipher-suites = { | (0x010080) SSL2/RSA/RC4-128/MD5 | (0x020080) SSL2/RSA/RC4-40/MD5 | (0x030080) SSL2/RSA/RC2CBC128/MD5 | (0x040080) SSL2/RSA/RC2CBC40/MD5 | (0x060040) SSL2/RSA/DES64CBC/MD5 | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 | (0x000004) SSL3/RSA/RC4-128/MD5 | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA | (0x000009) SSL3/RSA/DES64CBC/SHA | (0x000003) SSL3/RSA/RC4-40/MD5 | } | session-id = { } | challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db | 0xcfe9 } | } | ] | | Server socket closed. | Usage Tips | When SSL restarts a previous session, it makes use of cached information | to do a partial handshake. If you wish to capture a full SSL handshake, | restart the browser to clear the session id cache. | If you run the tool on a machine other than the SSL server to which you | are trying to connect, the browser will complain that the host name you | are trying to connect to is different from the certificate. If you are | using the default BadCert callback, you can still connect through a | dialog. If you are not using the default BadCert callback, the one you | supply must allow for this possibility. | See Also | The NSS Security Tools are also documented at | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ `__. | Additional Resources | NSS is maintained in conjunction with PKI and security-related projects | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, | with a project wiki at [2]\ http://pki.fedoraproject.org/wiki/. | For information specifically about NSS, the NSS project wiki is located at | [3]\ `http://www.mozilla.org/projects/security/pki/nss/ `__. The NSS site relates | directly to NSS code changes and releases. | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com | IRC: Freenode at #dogtag-pki | Authors | The NSS tools were written and maintained by developers with Netscape and | now with Red Hat and Sun. | Authors: Elio Maldonado , Deon Lackey | . | Copyright | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References | Visible links | 1. `http://www.mozilla.org/projects/secu.../pki/nss/tools `__ | 2. http://pki.fedoraproject.org/wiki/ | 3. `http://www.mozilla.org/projects/security/pki/nss/ `__