security/nss/doc/nroff/ssltap.1@b8a032363ba2
security/nss/doc/nroff/ssltap.1
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 '\" t
2 .\" Title: SSLTAP
3 .\" Author: [see the "Authors" section]
4 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
5 .\" Date: 5 June 2014
6 .\" Manual: NSS Security Tools
7 .\" Source: nss-tools
8 .\" Language: English
9 .\"
10 .TH "SSLTAP" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
11 .\" -----------------------------------------------------------------
12 .\" * Define some portability stuff
13 .\" -----------------------------------------------------------------
14 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15 .\" http://bugs.debian.org/507673
16 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
18 .ie \n(.g .ds Aq \(aq
19 .el .ds Aq '
20 .\" -----------------------------------------------------------------
21 .\" * set default formatting
22 .\" -----------------------------------------------------------------
23 .\" disable hyphenation
24 .nh
25 .\" disable justification (adjust text to left margin only)
26 .ad l
27 .\" -----------------------------------------------------------------
28 .\" * MAIN CONTENT STARTS HERE *
29 .\" -----------------------------------------------------------------
30 .SH "NAME"
31 ssltap \- Tap into SSL connections and display the data going by
32 .SH "SYNOPSIS"
33 .HP \w'\fBssltap\fR\ 'u
34 \fBssltap\fR [\-fhlsvx] [\-p\ port] [hostname:port]
35 .SH "STATUS"
36 .PP
37 This documentation is still work in progress\&. Please contribute to the initial review in
38 \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
39 .SH "DESCRIPTION"
40 .PP
41 The SSL Debugging Tool
42 \fBssltap\fR
43 is an SSL\-aware command\-line proxy\&. It watches TCP connections and displays the data going by\&. If a connection is SSL, the data display includes interpreted SSL records and handshaking
44 .SH "OPTIONS"
45 .PP
46 \-f
47 .RS 4
48 Turn on fancy printing\&. Output is printed in colored HTML\&. Data sent from the client to the server is in blue; the server\*(Aqs reply is in red\&. When used with looping mode, the different connections are separated with horizontal lines\&. You can use this option to upload the output into a browser\&.
49 .RE
50 .PP
51 \-h
52 .RS 4
53 Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&.
54 .RE
55 .PP
56 \-l prefix
57 .RS 4
58 Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete\&.
59 .RE
60 .PP
61 \-p port
62 .RS 4
63 Change the default rendezvous port (1924) to another port\&.
64 .sp
65 The following are well\-known port numbers:
66 .sp
67 * HTTP 80
68 .sp
69 * HTTPS 443
70 .sp
71 * SMTP 25
72 .sp
73 * FTP 21
74 .sp
75 * IMAP 143
76 .sp
77 * IMAPS 993 (IMAP over SSL)
78 .sp
79 * NNTP 119
80 .sp
81 * NNTPS 563 (NNTP over SSL)
82 .RE
83 .PP
84 \-s
85 .RS 4
86 Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&.
87 .sp
88 If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&.
89 .sp
90 If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&.
91 .RE
92 .PP
93 \-v
94 .RS 4
95 Print a version string for the tool\&.
96 .RE
97 .PP
98 \-x
99 .RS 4
100 Turn on extra SSL hex dumps\&.
101 .RE
102 .SH "USAGE AND EXAMPLES"
103 .PP
104 You can use the SSL Debugging Tool to intercept any connection information\&. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful\&. For example, assume your development machine is called intercept\&. The simplest way to use the debugging tool is to execute the following command from a command shell:
105 .sp
106 .if n \{\
107 .RS 4
108 .\}
109 .nf
110 $ ssltap www\&.netscape\&.com
111 .fi
112 .if n \{\
113 .RE
114 .\}
115 .PP
116 The program waits for an incoming connection on the default port 1924\&. In your browser window, enter the URL http://intercept:1924\&. The browser retrieves the requested page from the server at www\&.netscape\&.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept\&. On its way to the browser, the data is printed to the command shell from which you issued the command\&. Data sent from the client to the server is surrounded by the following symbols: \-\-> [ data ] Data sent from the server to the client is surrounded by the following symbols: "left arrow"\-\- [ data ] The raw data stream is sent to standard output and is not interpreted in any way\&. This can result in peculiar effects, such as sounds, flashes, and even crashes of the command shell window\&. To output a basic, printable interpretation of the data, use the \-h option, or, if you are looking at an SSL connection, the \-s option\&. You will notice that the page you retrieved looks incomplete in the browser\&. This is because, by default, the tool closes down after the first connection is complete, so the browser is not able to load images\&. To make the tool continue to accept connections, switch on looping mode with the \-l option\&. The following examples show the output from commonly used combinations of options\&.
117 .PP
118 Example 1
119 .sp
120 .if n \{\
121 .RS 4
122 .\}
123 .nf
124 $ ssltap\&.exe \-sx \-p 444 interzone\&.mcom\&.com:443 > sx\&.txt
125 .fi
126 .if n \{\
127 .RE
128 .\}
129 .PP
130 Output
131 .sp
132 .if n \{\
133 .RS 4
134 .\}
135 .nf
136 Connected to interzone\&.mcom\&.com:443
137 \-\->; [
138 alloclen = 66 bytes
139 [ssl2] ClientHelloV2 {
140 version = {0x03, 0x00}
141 cipher\-specs\-length = 39 (0x27)
142 sid\-length = 0 (0x00)
143 challenge\-length = 16 (0x10)
144 cipher\-suites = {
146 (0x010080) SSL2/RSA/RC4\-128/MD5
147 (0x020080) SSL2/RSA/RC4\-40/MD5
148 (0x030080) SSL2/RSA/RC2CBC128/MD5
149 (0x040080) SSL2/RSA/RC2CBC40/MD5
150 (0x060040) SSL2/RSA/DES64CBC/MD5
151 (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5
152 (0x000004) SSL3/RSA/RC4\-128/MD5
153 (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA
154 (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA
155 (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA
156 (0x000009) SSL3/RSA/DES64CBC/SHA
157 (0x000003) SSL3/RSA/RC4\-40/MD5
158 (0x000006) SSL3/RSA/RC2CBC40/MD5
159 }
160 session\-id = { }
161 challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
163 0x2592 }
164 }
165 ]
166 <\-\- [
167 SSLRecord {
168 0: 16 03 00 03 e5 |\&.\&.\&.\&.\&.
169 type = 22 (handshake)
170 version = { 3,0 }
171 length = 997 (0x3e5)
172 handshake {
173 0: 02 00 00 46 |\&.\&.\&.F
174 type = 2 (server_hello)
175 length = 70 (0x000046)
176 ServerHello {
177 server_version = {3, 0}
178 random = {\&.\&.\&.}
179 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 |
180 wn&l\&.\(`i\&.\&.XOG\&.\-\&.E
181 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f |
183 \e\&.uC\(scL\&.\(,C\&.d<PAHO\&.
184 session ID = {
185 length = 32
187 contents = {\&.\&.}
188 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 | \&.\&.\&.\(ad*1\&.)\&.\&.@7W\&.\(sc2
189 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 | VoRb\(Tp=\(S3e\(+-\&.\&.\&.R\(Po\(`E\&.
190 }
191 cipher_suite = (0x0003) SSL3/RSA/RC4\-40/MD5
192 }
193 0: 0b 00 02 c5 |\&.\&.\&.\(oA
194 type = 11 (certificate)
195 length = 709 (0x0002c5)
196 CertificateChain {
197 chainlength = 706 (0x02c2)
198 Certificate {
199 size = 703 (0x02bf)
200 data = { saved in file \*(Aqcert\&.001\*(Aq }
201 }
202 }
203 0: 0c 00 00 ca |\&.\&.\&.\&.
204 type = 12 (server_key_exchange)
205 length = 202 (0x0000ca)
206 0: 0e 00 00 00 |\&.\&.\&.\&.
207 type = 14 (server_hello_done)
208 length = 0 (0x000000)
209 }
210 }
211 ]
212 \-\-> [
213 SSLRecord {
214 0: 16 03 00 00 44 |\&.\&.\&.\&.D
215 type = 22 (handshake)
216 version = { 3,0 }
217 length = 68 (0x44)
218 handshake {
219 0: 10 00 00 40 |\&.\&.\&.@
220 type = 16 (client_key_exchange)
221 length = 64 (0x000040)
222 ClientKeyExchange {
223 message = {\&.\&.\&.}
224 }
225 }
226 }
227 ]
228 \-\-> [
229 SSLRecord {
230 0: 14 03 00 00 01 |\&.\&.\&.\&.\&.
231 type = 20 (change_cipher_spec)
232 version = { 3,0 }
233 length = 1 (0x1)
234 0: 01 |\&.
235 }
236 SSLRecord {
237 0: 16 03 00 00 38 |\&.\&.\&.\&.8
238 type = 22 (handshake)
239 version = { 3,0 }
240 length = 56 (0x38)
241 < encrypted >
243 }
244 ]
245 <\-\- [
246 SSLRecord {
247 0: 14 03 00 00 01 |\&.\&.\&.\&.\&.
248 type = 20 (change_cipher_spec)
249 version = { 3,0 }
250 length = 1 (0x1)
251 0: 01 |\&.
252 }
253 ]
254 <\-\- [
255 SSLRecord {
256 0: 16 03 00 00 38 |\&.\&.\&.\&.8
257 type = 22 (handshake)
258 version = { 3,0 }
259 length = 56 (0x38)
260 < encrypted >
262 }
263 ]
264 \-\-> [
265 SSLRecord {
266 0: 17 03 00 01 1f |\&.\&.\&.\&.\&.
267 type = 23 (application_data)
268 version = { 3,0 }
269 length = 287 (0x11f)
270 < encrypted >
271 }
272 ]
273 <\-\- [
274 SSLRecord {
275 0: 17 03 00 00 a0 |\&.\&.\&.\&.
276 type = 23 (application_data)
277 version = { 3,0 }
278 length = 160 (0xa0)
279 < encrypted >
281 }
282 ]
283 <\-\- [
284 SSLRecord {
285 0: 17 03 00 00 df |\&.\&.\&.\&.\(ss
286 type = 23 (application_data)
287 version = { 3,0 }
288 length = 223 (0xdf)
289 < encrypted >
291 }
292 SSLRecord {
293 0: 15 03 00 00 12 |\&.\&.\&.\&.\&.
294 type = 21 (alert)
295 version = { 3,0 }
296 length = 18 (0x12)
297 < encrypted >
298 }
299 ]
300 Server socket closed\&.
301 .fi
302 .if n \{\
303 .RE
304 .\}
305 .PP
306 Example 2
307 .PP
308 The \-s option turns on SSL parsing\&. Because the \-x option is not used in this example, undecoded values are output as raw data\&. The output is routed to a text file\&.
309 .sp
310 .if n \{\
311 .RS 4
312 .\}
313 .nf
314 $ ssltap \-s \-p 444 interzone\&.mcom\&.com:443 > s\&.txt
315 .fi
316 .if n \{\
317 .RE
318 .\}
319 .PP
320 Output
321 .sp
322 .if n \{\
323 .RS 4
324 .\}
325 .nf
326 Connected to interzone\&.mcom\&.com:443
327 \-\-> [
328 alloclen = 63 bytes
329 [ssl2] ClientHelloV2 {
330 version = {0x03, 0x00}
331 cipher\-specs\-length = 36 (0x24)
332 sid\-length = 0 (0x00)
333 challenge\-length = 16 (0x10)
334 cipher\-suites = {
335 (0x010080) SSL2/RSA/RC4\-128/MD5
336 (0x020080) SSL2/RSA/RC4\-40/MD5
337 (0x030080) SSL2/RSA/RC2CBC128/MD5
338 (0x060040) SSL2/RSA/DES64CBC/MD5
339 (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5
340 (0x000004) SSL3/RSA/RC4\-128/MD5
341 (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA
342 (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA
343 (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA
344 (0x000009) SSL3/RSA/DES64CBC/SHA
345 (0x000003) SSL3/RSA/RC4\-40/MD5
346 }
347 session\-id = { }
348 challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
349 0x3fd0 }
350 ]
351 >\-\- [
352 SSLRecord {
353 type = 22 (handshake)
354 version = { 3,0 }
355 length = 997 (0x3e5)
356 handshake {
357 type = 2 (server_hello)
358 length = 70 (0x000046)
359 ServerHello {
360 server_version = {3, 0}
361 random = {\&.\&.\&.}
362 session ID = {
363 length = 32
364 contents = {\&.\&.}
365 }
366 cipher_suite = (0x0003) SSL3/RSA/RC4\-40/MD5
367 }
368 type = 11 (certificate)
369 length = 709 (0x0002c5)
370 CertificateChain {
371 chainlength = 706 (0x02c2)
372 Certificate {
373 size = 703 (0x02bf)
374 data = { saved in file \*(Aqcert\&.001\*(Aq }
375 }
376 }
377 type = 12 (server_key_exchange)
378 length = 202 (0x0000ca)
379 type = 14 (server_hello_done)
380 length = 0 (0x000000)
381 }
382 }
383 ]
384 \-\-> [
385 SSLRecord {
386 type = 22 (handshake)
387 version = { 3,0 }
388 length = 68 (0x44)
389 handshake {
390 type = 16 (client_key_exchange)
391 length = 64 (0x000040)
392 ClientKeyExchange {
393 message = {\&.\&.\&.}
394 }
395 }
396 }
397 ]
398 \-\-> [
399 SSLRecord {
400 type = 20 (change_cipher_spec)
401 version = { 3,0 }
402 length = 1 (0x1)
403 }
404 SSLRecord {
405 type = 22 (handshake)
406 version = { 3,0 }
407 length = 56 (0x38)
408 > encrypted >
409 }
410 ]
411 >\-\- [
412 SSLRecord {
413 type = 20 (change_cipher_spec)
414 version = { 3,0 }
415 length = 1 (0x1)
416 }
417 ]
418 >\-\- [
419 SSLRecord {
420 type = 22 (handshake)
421 version = { 3,0 }
422 length = 56 (0x38)
423 > encrypted >
424 }
425 ]
426 \-\-> [
427 SSLRecord {
428 type = 23 (application_data)
429 version = { 3,0 }
430 length = 287 (0x11f)
431 > encrypted >
432 }
433 ]
434 [
435 SSLRecord {
436 type = 23 (application_data)
437 version = { 3,0 }
438 length = 160 (0xa0)
439 > encrypted >
440 }
441 ]
442 >\-\- [
443 SSLRecord {
444 type = 23 (application_data)
445 version = { 3,0 }
446 length = 223 (0xdf)
447 > encrypted >
448 }
449 SSLRecord {
450 type = 21 (alert)
451 version = { 3,0 }
452 length = 18 (0x12)
453 > encrypted >
454 }
455 ]
456 Server socket closed\&.
457 .fi
458 .if n \{\
459 .RE
460 .\}
461 .PP
462 Example 3
463 .PP
464 In this example, the \-h option turns hex/ASCII format\&. There is no SSL parsing or decoding\&. The output is routed to a text file\&.
465 .sp
466 .if n \{\
467 .RS 4
468 .\}
469 .nf
470 $ ssltap \-h \-p 444 interzone\&.mcom\&.com:443 > h\&.txt
471 .fi
472 .if n \{\
473 .RE
474 .\}
475 .PP
476 Output
477 .sp
478 .if n \{\
479 .RS 4
480 .\}
481 .nf
482 Connected to interzone\&.mcom\&.com:443
483 \-\-> [
484 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 | \&.@\&.\&.\&.\&.\*(Aq\&.\&.\&.\&.\&.\&.\&.\&.\&.
485 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | \&.\&.\&.\&.\&.\&.\&.\&.\&.@\&.\&.\&.\&.\&.\&.
486 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 | \&.\&.\&.\&.\&.\&.\&.\&.\('a\&.\&.\&.\&.\&.\&.\&.
487 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 | \&.\&.\(Tp[V\&.I\&.\exd9 \&.\&.\&.\(Om\(S1R
488 40: 6f 2d |o\-
489 ]
490 <\-\- [
491 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d | \&.\&.\&.\&.\&.\&.\&.\&.F\&.\&.\&.\&.\&.\&.\&.
492 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b | h\&.:y`\&.\&.<\&.\&.\(S3\&.\(`Oi;
493 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 | x\&.K\&.\(bbR\&.KF\(`e\&. \&.\&.\&.
494 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 | MR\&.\('y\&.\&.QH\&.\&.\&.\&.\&.\(psvw
495 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b | *\(^o\&.\&.\(r!\&.a\(ctd\&.\&.\&.\&.\&.\&.
496 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 | \&.\&.\(oA\&.\&.\&.\&.\&.\&.0\&.\&.\&.0\&.\&.
497 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 | $ \&.\&.\&.\&.\&.\&.\&.60\&.\&.\&.*\&.
498 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 | H\&.\(di\&.\&.\&.\&.\&.\&.0w1\&.0\&.\&.
499 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 | \&.U\&.\&.\&.\&.US1,0*\&.\&.U\&.
500 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d | \&.\&.#Netscape Comm
501 a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f | unications Corpo
502 b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 | ration1\&.0\&.\&.\&.U\&.\&.\&.
503 c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 | \&.Hardcore1\*(Aq0%\&.\&.U
504 d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 | \&.\&.\&.\&.Hardcore Cer
505 e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 | tificate Server
506 f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 | II0\&.\&.\&.9805160103
507 <additional data lines>
508 ]
509 <additional records in same format>
510 Server socket closed\&.
511 .fi
512 .if n \{\
513 .RE
514 .\}
515 .PP
516 Example 4
517 .PP
518 In this example, the \-s option turns on SSL parsing, and the \-h option turns on hex/ASCII format\&. Both formats are shown for each record\&. The output is routed to a text file\&.
519 .sp
520 .if n \{\
521 .RS 4
522 .\}
523 .nf
524 $ ssltap \-hs \-p 444 interzone\&.mcom\&.com:443 > hs\&.txt
525 .fi
526 .if n \{\
527 .RE
528 .\}
529 .PP
530 Output
531 .sp
532 .if n \{\
533 .RS 4
534 .\}
535 .nf
536 Connected to interzone\&.mcom\&.com:443
537 \-\-> [
538 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 | \&.=\&.\&.\&.\&.$\&.\&.\&.\&.\&.\&.\&.\&.\&.
539 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | \&.\&.\&.\&.\&.\&.\&.\&.\&.@\&.\&.\&.\&.\&.\&.
540 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 | \&.\&.\&.\&.\&.\&.\&.\&.\('a\&.\&.\&.\&.\&.\&.\&.
541 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 |U\&.\&.y\(,C\exb0 ,\&.x\&.]\(mc\(:I\('e
542 alloclen = 63 bytes
543 [ssl2] ClientHelloV2 {
544 version = {0x03, 0x00}
545 cipher\-specs\-length = 36 (0x24)
546 sid\-length = 0 (0x00)
547 challenge\-length = 16 (0x10)
548 cipher\-suites = {
549 (0x010080) SSL2/RSA/RC4\-128/MD5
550 (0x020080) SSL2/RSA/RC4\-40/MD5
551 (0x030080) SSL2/RSA/RC2CBC128/MD5
552 (0x040080) SSL2/RSA/RC2CBC40/MD5
553 (0x060040) SSL2/RSA/DES64CBC/MD5
554 (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5
555 (0x000004) SSL3/RSA/RC4\-128/MD5
556 (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA
557 (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA
558 (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA
559 (0x000009) SSL3/RSA/DES64CBC/SHA
560 (0x000003) SSL3/RSA/RC4\-40/MD5
561 }
562 session\-id = { }
563 challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
565 0xcfe9 }
566 }
567 ]
568 <additional records in same formats>
569 Server socket closed\&.
570 .fi
571 .if n \{\
572 .RE
573 .\}
574 .SH "USAGE TIPS"
575 .PP
576 When SSL restarts a previous session, it makes use of cached information to do a partial handshake\&. If you wish to capture a full SSL handshake, restart the browser to clear the session id cache\&.
577 .PP
578 If you run the tool on a machine other than the SSL server to which you are trying to connect, the browser will complain that the host name you are trying to connect to is different from the certificate\&. If you are using the default BadCert callback, you can still connect through a dialog\&. If you are not using the default BadCert callback, the one you supply must allow for this possibility\&.
579 .SH "SEE ALSO"
580 .PP
581 The NSS Security Tools are also documented at
582 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&\s-2\u[2]\d\s+2\&.
583 .SH "ADDITIONAL RESOURCES"
584 .PP
585 For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
586 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
587 .PP
588 Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
589 .PP
590 IRC: Freenode at #dogtag\-pki
591 .SH "AUTHORS"
592 .PP
593 The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&.
594 .PP
595 Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
596 .SH "LICENSE"
597 .PP
598 Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&.
599 .SH "NOTES"
600 .IP " 1." 4
601 Mozilla NSS bug 836477
602 .RS 4
603 \%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
604 .RE
605 .IP " 2." 4
606 http://www.mozilla.org/projects/security/pki/nss/
607 .RS 4
608 \%http://www.mozilla.org/projects/security/pki/nss/tools
609 .RE
