.. _mozilla_projects_nss_tools_ssltap:
NSS tools : ssltap
==================
.. container::
| Name
| ssltap — Tap into SSL connections and display the data going by
| Synopsis
| libssltap [-vhfsxl] [-p port] [hostname:port]
| Description
| The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It
| watches TCP connections and displays the data going by. If a connection is
| SSL, the data display includes interpreted SSL records and handshaking
| Options
| -v
| Print a version string for the tool.
| -h
| Turn on hex/ASCII printing. Instead of outputting raw data, the
| command interprets each record as a numbered line of hex values,
| followed by the same data as ASCII characters. The two parts are
| separated by a vertical bar. Nonprinting characters are replaced
| by dots.
| -f
| Turn on fancy printing. Output is printed in colored HTML. Data
| sent from the client to the server is in blue; the server's reply
| is in red. When used with looping mode, the different connections
| are separated with horizontal lines. You can use this option to
| upload the output into a browser.
| -s
| Turn on SSL parsing and decoding. The tool does not automatically
| detect SSL sessions. If you are intercepting an SSL connection,
| use this option so that the tool can detect and decode SSL
| structures.
| If the tool detects a certificate chain, it saves the DER-encoded
| certificates into files in the current directory. The files are
| named cert.0x, where x is the sequence number of the certificate.
| If the -s option is used with -h, two separate parts are printed
| for each record: the plain hex/ASCII output, and the parsed SSL
| output.
| -x
| Turn on hex/ASCII printing of undecoded data inside parsed SSL
| records. Used only with the -s option. This option uses the same
| output format as the -h option.
| -l prefix
| Turn on looping; that is, continue to accept connections rather
| than stopping after the first connection is complete.
| -p port
| Change the default rendezvous port (1924) to another port.
| The following are well-known port numbers:
| \* HTTP 80
| \* HTTPS 443
| \* SMTP 25
| \* FTP 21
| \* IMAP 143
| \* IMAPS 993 (IMAP over SSL)
| \* NNTP 119
| \* NNTPS 563 (NNTP over SSL)
| Usage and Examples
| You can use the SSL Debugging Tool to intercept any connection
| information. Although you can run the tool at its most basic by issuing
| the ssltap command with no options other than hostname:port, the
| information you get in this way is not very useful. For example, assume
| your development machine is called intercept. The simplest way to use the
| debugging tool is to execute the following command from a command shell:
| $ ssltap www.netscape.com
| The program waits for an incoming connection on the default port 1924. In
| your browser window, enter the URL
http://intercept:1924. The browser
| retrieves the requested page from the server at www.netscape.com, but the
| page is intercepted and passed on to the browser by the debugging tool on
| intercept. On its way to the browser, the data is printed to the command
| shell from which you issued the command. Data sent from the client to the
| server is surrounded by the following symbols: --> [ data ] Data sent from
| the server to the client is surrounded by the following symbols: "left
| arrow"-- [ data ] The raw data stream is sent to standard output and is
| not interpreted in any way. This can result in peculiar effects, such as
| sounds, flashes, and even crashes of the command shell window. To output a
| basic, printable interpretation of the data, use the -h option, or, if you
| are looking at an SSL connection, the -s option. You will notice that the
| page you retrieved looks incomplete in the browser. This is because, by
| default, the tool closes down after the first connection is complete, so
| the browser is not able to load images. To make the tool continue to
| accept connections, switch on looping mode with the -l option. The
| following examples show the output from commonly used combinations of
| options.
| Example 1
| $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt
| Output
| Connected to interzone.mcom.com:443
| -->; [
| alloclen = 66 bytes
| [ssl2] ClientHelloV2 {
| version = {0x03, 0x00}
| cipher-specs-length = 39 (0x27)
| sid-length = 0 (0x00)
| challenge-length = 16 (0x10)
| cipher-suites = {
| (0x010080) SSL2/RSA/RC4-128/MD5
| (0x020080) SSL2/RSA/RC4-40/MD5
| (0x030080) SSL2/RSA/RC2CBC128/MD5
| (0x040080) SSL2/RSA/RC2CBC40/MD5
| (0x060040) SSL2/RSA/DES64CBC/MD5
| (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
| (0x000004) SSL3/RSA/RC4-128/MD5
| (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
| (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
| (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
| (0x000009) SSL3/RSA/DES64CBC/SHA
| (0x000003) SSL3/RSA/RC4-40/MD5
| (0x000006) SSL3/RSA/RC2CBC40/MD5
| }
| session-id = { }
| challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
| 0x2592 }
| }
| ]
| <-- [
| SSLRecord {
| 0: 16 03 00 03 e5 \|.....
| type = 22 (handshake)
| version = { 3,0 }
| length = 997 (0x3e5)
| handshake {
| 0: 02 00 00 46 \|...F
| type = 2 (server_hello)
| length = 70 (0x000046)
| ServerHello {
| server_version = {3, 0}
| random = {...}
| 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 \|
| wn&l.ì..XOG.-.E
| 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f \|
| \.uC§L.Ç.d<PAHO.
| session ID = {
| length = 32
| contents = {..}
| 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 \| ...¨*1.)..@7W.§2
| 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 \| VoRbþ=³e±...R£È.
| }
| cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
| }
| 0: 0b 00 02 c5 \|...Å
| type = 11 (certificate)
| length = 709 (0x0002c5)
| CertificateChain {
| chainlength = 706 (0x02c2)
| Certificate {
| size = 703 (0x02bf)
| data = { saved in file 'cert.001' }
| }
| }
| 0: 0c 00 00 ca \|....
| type = 12 (server_key_exchange)
| length = 202 (0x0000ca)
| 0: 0e 00 00 00 \|....
| type = 14 (server_hello_done)
| length = 0 (0x000000)
| }
| }
| ]
| --> [
| SSLRecord {
| 0: 16 03 00 00 44 \|....D
| type = 22 (handshake)
| version = { 3,0 }
| length = 68 (0x44)
| handshake {
| 0: 10 00 00 40 \|...@
| type = 16 (client_key_exchange)
| length = 64 (0x000040)
| ClientKeyExchange {
| message = {...}
| }
| }
| }
| ]
| --> [
| SSLRecord {
| 0: 14 03 00 00 01 \|.....
| type = 20 (change_cipher_spec)
| version = { 3,0 }
| length = 1 (0x1)
| 0: 01 \|.
| }
| SSLRecord {
| 0: 16 03 00 00 38 \|....8
| type = 22 (handshake)
| version = { 3,0 }
| length = 56 (0x38)
| < encrypted >
| }
| ]
| <-- [
| SSLRecord {
| 0: 14 03 00 00 01 \|.....
| type = 20 (change_cipher_spec)
| version = { 3,0 }
| length = 1 (0x1)
| 0: 01 \|.
| }
| ]
| <-- [
| SSLRecord {
| 0: 16 03 00 00 38 \|....8
| type = 22 (handshake)
| version = { 3,0 }
| length = 56 (0x38)
| < encrypted >
| }
| ]
| --> [
| SSLRecord {
| 0: 17 03 00 01 1f \|.....
| type = 23 (application_data)
| version = { 3,0 }
| length = 287 (0x11f)
| < encrypted >
| }
| ]
| <-- [
| SSLRecord {
| 0: 17 03 00 00 a0 \|....
| type = 23 (application_data)
| version = { 3,0 }
| length = 160 (0xa0)
| < encrypted >
| }
| ]
| <-- [
| SSLRecord {
| 0: 17 03 00 00 df \|....ß
| type = 23 (application_data)
| version = { 3,0 }
| length = 223 (0xdf)
| < encrypted >
| }
| SSLRecord {
| 0: 15 03 00 00 12 \|.....
| type = 21 (alert)
| version = { 3,0 }
| length = 18 (0x12)
| < encrypted >
| }
| ]
| Server socket closed.
| Example 2
| The -s option turns on SSL parsing. Because the -x option is not used in
| this example, undecoded values are output as raw data. The output is
| routed to a text file.
| $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt
| Output
| Connected to interzone.mcom.com:443
| --> [
| alloclen = 63 bytes
| [ssl2] ClientHelloV2 {
| version = {0x03, 0x00}
| cipher-specs-length = 36 (0x24)
| sid-length = 0 (0x00)
| challenge-length = 16 (0x10)
| cipher-suites = {
| (0x010080) SSL2/RSA/RC4-128/MD5
| (0x020080) SSL2/RSA/RC4-40/MD5
| (0x030080) SSL2/RSA/RC2CBC128/MD5
| (0x060040) SSL2/RSA/DES64CBC/MD5
| (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
| (0x000004) SSL3/RSA/RC4-128/MD5
| (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
| (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
| (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
| (0x000009) SSL3/RSA/DES64CBC/SHA
| (0x000003) SSL3/RSA/RC4-40/MD5
| }
| session-id = { }
| challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
| 0x3fd0 }
| ]
| >-- [
| SSLRecord {
| type = 22 (handshake)
| version = { 3,0 }
| length = 997 (0x3e5)
| handshake {
| type = 2 (server_hello)
| length = 70 (0x000046)
| ServerHello {
| server_version = {3, 0}
| random = {...}
| session ID = {
| length = 32
| contents = {..}
| }
| cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
| }
| type = 11 (certificate)
| length = 709 (0x0002c5)
| CertificateChain {
| chainlength = 706 (0x02c2)
| Certificate {
| size = 703 (0x02bf)
| data = { saved in file 'cert.001' }
| }
| }
| type = 12 (server_key_exchange)
| length = 202 (0x0000ca)
| type = 14 (server_hello_done)
| length = 0 (0x000000)
| }
| }
| ]
| --> [
| SSLRecord {
| type = 22 (handshake)
| version = { 3,0 }
| length = 68 (0x44)
| handshake {
| type = 16 (client_key_exchange)
| length = 64 (0x000040)
| ClientKeyExchange {
| message = {...}
| }
| }
| }
| ]
| --> [
| SSLRecord {
| type = 20 (change_cipher_spec)
| version = { 3,0 }
| length = 1 (0x1)
| }
| SSLRecord {
| type = 22 (handshake)
| version = { 3,0 }
| length = 56 (0x38)
| > encrypted >
| }
| ]
| >-- [
| SSLRecord {
| type = 20 (change_cipher_spec)
| version = { 3,0 }
| length = 1 (0x1)
| }
| ]
| >-- [
| SSLRecord {
| type = 22 (handshake)
| version = { 3,0 }
| length = 56 (0x38)
| > encrypted >
| }
| ]
| --> [
| SSLRecord {
| type = 23 (application_data)
| version = { 3,0 }
| length = 287 (0x11f)
| > encrypted >
| }
| ]
| [
| SSLRecord {
| type = 23 (application_data)
| version = { 3,0 }
| length = 160 (0xa0)
| > encrypted >
| }
| ]
| >-- [
| SSLRecord {
| type = 23 (application_data)
| version = { 3,0 }
| length = 223 (0xdf)
| > encrypted >
| }
| SSLRecord {
| type = 21 (alert)
| version = { 3,0 }
| length = 18 (0x12)
| > encrypted >
| }
| ]
| Server socket closed.
| Example 3
| In this example, the -h option turns hex/ASCII format. There is no SSL
| parsing or decoding. The output is routed to a text file.
| $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt
| Output
| Connected to interzone.mcom.com:443
| --> [
| 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 \| .@....'.........
| 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@......
| 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 \| ........á.......
| 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 \| ..þ[V.I.\xd9 ...º¹R
| 40: 6f 2d \|o-
| ]
| <-- [
| 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d \| ........F.......
| 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b \| h.:y`..<..³.Òi;
| 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 \| x.K.¦R.KFè. ...
| 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 \| MR.ý..QH.....¶vw
| 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b \| \*ô..¡.a¢d......
| 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 \| ..Å......0...0..
| 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 \| $ .......60...*.
| 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 \| H.÷......0w1.0..
| 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 \| .U....US1,0*..U.
| 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d \| ..#Netscape Comm
| a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f \| unications Corpo
| b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 \| ration1.0...U...
| c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 \| .Hardcore1'0%..U
| d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 \| ....Hardcore Cer
| e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 \| tificate Server
| f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 \| II0...9805160103
| <additional data lines>
| ]
| <additional records in same format>
| Server socket closed.
| Example 4
| In this example, the -s option turns on SSL parsing, and the -h option
| turns on hex/ASCII format. Both formats are shown for each record. The
| output is routed to a text file.
| $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt
| Output
| Connected to interzone.mcom.com:443
| --> [
| 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 \| .=....$.........
| 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@......
| 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 \| ........á.......
| 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 \|U..yÇ\xb0 ,.x.]µÏé
| alloclen = 63 bytes
| [ssl2] ClientHelloV2 {
| version = {0x03, 0x00}
| cipher-specs-length = 36 (0x24)
| sid-length = 0 (0x00)
| challenge-length = 16 (0x10)
| cipher-suites = {
| (0x010080) SSL2/RSA/RC4-128/MD5
| (0x020080) SSL2/RSA/RC4-40/MD5
| (0x030080) SSL2/RSA/RC2CBC128/MD5
| (0x040080) SSL2/RSA/RC2CBC40/MD5
| (0x060040) SSL2/RSA/DES64CBC/MD5
| (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
| (0x000004) SSL3/RSA/RC4-128/MD5
| (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
| (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
| (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
| (0x000009) SSL3/RSA/DES64CBC/SHA
| (0x000003) SSL3/RSA/RC4-40/MD5
| }
| session-id = { }
| challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
| 0xcfe9 }
| }
| ]
| <additional records in same formats>
| Server socket closed.
| Usage Tips
| When SSL restarts a previous session, it makes use of cached information
| to do a partial handshake. If you wish to capture a full SSL handshake,
| restart the browser to clear the session id cache.
| If you run the tool on a machine other than the SSL server to which you
| are trying to connect, the browser will complain that the host name you
| are trying to connect to is different from the certificate. If you are
| using the default BadCert callback, you can still connect through a
| dialog. If you are not using the default BadCert callback, the one you
| supply must allow for this possibility.
| See Also
| The NSS Security Tools are also documented at
|
[1]\ `
http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/pr
ojects/security/pki/nss/>`__.
| Additional Resources
| NSS is maintained in conjunction with PKI and security-related projects
| through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
| with a project wiki at [2]\ http://pki.fedoraproject.org/wiki/.
| For information specifically about NSS, the NSS project wiki is located at
|
[3]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
The NSS site relates
| directly to NSS code changes and releases.
| Mailing lists: pki-devel@redhat.com and pki-users@redhat.com
| IRC: Freenode at #dogtag-pki
| Authors
| The NSS tools were written and maintained by developers with Netscape and
| now with Red Hat and Sun.
| Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
| <dlackey@redhat.com>.
| Copyright
| (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
| References
| Visible links
| 1.
`http://www.mozilla.org/projects/secu.../pki/nss/tools <https://www.mozilla.org/projects/security/pki/nss/tools>`__
| 2. http://pki.fedoraproject.org/wiki/
| 3.
`http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
