michael@0:
michael@0:
michael@0:
michael@0:
michael@0:
michael@0:
michael@0: SSLTap - manual
michael@0:
michael@0:
michael@0:
michael@0:
michael@0: SSLTap Manual page
michael@0:
michael@0:
michael@0: Summary
michael@0: A command-line proxy which is SSL-aware. It snoops on TCP connections,
michael@0: and displays the data going by, including SSL records and handshaking
michael@0: if the connection is SSL.
michael@0:
michael@0: Synopsis
michael@0: ssltap [-vhfsxl] [-p port] hostname:port
michael@0:
michael@0: -v [prints version string]
michael@0:
-h [outputs hex instead
michael@0: of ASCII]
michael@0:
-f [turn on Fancy HTML
michael@0: coloring]
michael@0:
-s [turn on SSL decoding]
michael@0:
-x [turn on extra SSL
michael@0: hex dumps]
michael@0:
-p port [specify rendezvous port (default 1924)]
michael@0:
-l [loop - continue
michael@0: to wait for more connections]
michael@0:
michael@0: Description
michael@0: SSLTap opens a socket on a rendezvous port, and waits for an incoming connection
michael@0: (client side). Once this connection arrives, SSLTap makes another connection
michael@0: to hostname:port (server side). It passes any data sent by the client to
michael@0: the server, and vice versa. However, SSLTap will also display the data
michael@0: to the console. It can do this for plain HTTP connections, or any TCP protocol.
michael@0: However, SSLTap can also work with SSL streams, as detailed below.
michael@0:
michael@0: Let's assume your development machine is called 'intercept'. The simplest
michael@0: usage of SSLTap is to run the command 'ssltap www.netscape.com:80'
michael@0: on intercept. The program will wait for an incoming connection on port
michael@0: 1924. Next you would want to go to your browser, and enter the URL http://intercept:1924.
michael@0: The page retrieved by the browser will actually be gotten from the server
michael@0: at www.netscape.com, but will go via SSLTap.
michael@0:
michael@0:
Data sent from the client to the server is surrounded by a '--> [ ]'
michael@0: symbol, and data sent from the server to the client, a '<---[
michael@0: ]' symbol.
michael@0:
michael@0:
You'll notice that the page retrieved with this example looks incomplete.
michael@0: This is because SSLTap by default closes down after the first connection
michael@0: is complete, so the browser is not able to load images. To make the SSLTap
michael@0: continue to accept connections, switch on looping mode with the -l option.
michael@0:
michael@0:
You can change the default rendezvous port to something else with the
michael@0: -p option.
michael@0:
michael@0:
The remaining options change the way the output is produced.
michael@0:
michael@0:
The -f option prints 'fancy' output - in colored HTML. Data sent from
michael@0: the client to the server is in blue. The server's reply is in red. This
michael@0: is designed so you can load the output up into a browser. When used with
michael@0: looping mode, the different connections are separated with horizontal lines.
michael@0:
michael@0:
-x will turn on HEX printing. Instead of being output as ascii, the
michael@0: data is shown as Hex, like this:
michael@0:
<-- [
michael@0:
0: 56 d5 16 3e a1 6b b1 4a 8f 67 c4 d7
michael@0: 21 2f 6f dd | V..>.k.J.g..!/o.
michael@0:
10: bb 22 c4 75 8c f4 ce 28 16 a6 20 aa
michael@0: fb 9a 59 a1 | .".u...(.. ...Y.
michael@0:
20: 51 91 14 d2 fc 9f a7 ea 4d 9c f7 3a
michael@0: 9d 83 62 4a | Q.......M..:..bJ
michael@0:
]
michael@0:
michael@0:
michael@0:
michael@0: SSL Parse mode
michael@0: The following options deal with SSL connections.
michael@0: -s will turn on SSL parsing. (SSLTap doesn't automatically detect SSL
michael@0: sessions.)
michael@0:
-x will turn on extra SSL hexdumps. Mostly, if SSL can decode the data,
michael@0: it doesn't display the hex.
michael@0: The following SSL3 Data structures are parsed: Handshake, ClientHello,
michael@0: ServerHello, CertificateChain, Certificate. In addition, SSL2 ClientHello,
michael@0: ServerHello, ClientMasterKey are also partly parsed. NO DECRYPTION IS PERFORMED
michael@0: ON THE DATA. SSLTAP CANNOT DECRYPT the data.
michael@0:
michael@0: If a certificate chain is detected, DER-encoded certificates will be
michael@0: saved into files in the current directory called 'cert.0x' where x is the
michael@0: sequence number of the certificate.
michael@0:
michael@0:
michael@0: Operation Hints
michael@0: Often, you'll find that the server certificate does not get transferred,
michael@0: or other parts of the handshake do not happen. This is because the browser
michael@0: is taking advantage of session-id-reuse (using the handshake results from
michael@0: a previous session). If you restart the browser, it'll clear the session
michael@0: id cache.
michael@0:
michael@0: If you run the ssltap on a different machine that the ssl server you're
michael@0: trying to connect to, the browser will complain that the host name you're
michael@0: trying to connect to is different to the certificate, but it will still
michael@0: let you connect, after showing you a dialog.
michael@0:
michael@0: Bugs
michael@0: Please contact ssltap-support@netscape.com
michael@0: for bug reports.
michael@0:
michael@0: History
michael@0: 2.1 - First public release (March 1998)
michael@0:
michael@0:
michael@0: Other
michael@0: For reference, here is a table of some well-known port numbers:
michael@0:
michael@0:
michael@0:
michael@0: | HTTP |
michael@0:
michael@0: 80 |
michael@0:
michael@0:
michael@0:
michael@0: | SMTP |
michael@0:
michael@0: 25 |
michael@0:
michael@0:
michael@0:
michael@0: | HTTPS |
michael@0:
michael@0: 443 |
michael@0:
michael@0:
michael@0:
michael@0: | FTP |
michael@0:
michael@0: 21 |
michael@0:
michael@0:
michael@0:
michael@0: | IMAPS |
michael@0:
michael@0: 993 |
michael@0:
michael@0:
michael@0:
michael@0: | NNTP |
michael@0:
michael@0: 119 |
michael@0:
michael@0:
michael@0:
michael@0: | NNTPS |
michael@0:
michael@0: 563 |
michael@0:
michael@0:
michael@0:
michael@0:
michael@0:
michael@0:
michael@0: