Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • March 2, 2012

Using tshark to debug SSL connections

Jyri had explained in his blog how to use ssldump to debug SSL connections. We can also use tshark. On my Linux server, tshark is installed in /usr/sbin/tshark.

Support team guys need these steps for finding out what is happening. First try to reproduce the problem in a test environment with self-signed certificate and follow the steps given in this blog.

I started Oracle iPlanet Web Server 7.0 instance on IP lets say and port 15000.

Exporting Private Key from NSS DB

In NSS Database, I have a Server Certificate named "Server-Cert" as shown below.

$ cd <WS_install-root>/https-<instance>/config

$ ../../bin/certutil -L -d .

Certificate Nickname                         Trust Attributes
Server-Cert                                     u,u,u

First use pk12util to extract server certificate and its key into a file "server.keycert".

$ ../../bin/pk12util -o server.keycert -n "Server-Cert" -d .

Enter Password or Pin for "NSS Certificate DB": nssdbpassword

Enter password for PKCS12 file: pkcs12password
Re-enter password: pkcs12password


then I use openssl to get just the RSA private key

$ openssl pkcs12 -nodes -in server.keycert -out key.pem -nocerts -nodes
Enter Import Password: pkcs12password
MAC verified OK 

$ rm server.keycert

If you look at the file, its contents are like :

$ cat key.pem
Bag Attributes
    friendlyName: Server-Cert
    localKeyID: ...
Key Attributes: <No Attributes>

Edit the file key.pem manually and remove the first 4 lines.

Now the file starts with line "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"

Note that we should be very careful with this key as its not so safe to leave it unprotected.

You can protect it by another password if you like.

I would prefer if wireshark can take NSS DB or Oracle Wallets as input directly.

Running tshark

Now as root run tshark

$ /usr/sbin/tshark -o "ssl.desegment_ssl_records: TRUE" \

"ssl.desegment_ssl_application_data: TRUE" \

"ssl.keys_list:,15000,http,key.pem" \

"ssl.debug_file:ssldebug.log" \

-f "tcp port 15000" \

-R "ssl" \

-V -x
2>&1 | tee tshark.log

when I had not given IP address in ssl.key_list, it wasn't associating key to some of my connections.

Note that 
I used capture filter "tcp port 15000" and display filter "ssl".
I used -V to show more verbose output and
I also used -x to get both hex and ASCII dumps.
You can try your own options.

Now send a request through a browser to, close the browser and after a while, press control c on the window where tshark is running and kill it.

Delete the private key file key.pem.

ssldebug.log should have a message that says key was loaded successfully

$ grep -i "private key" ssldebug.log

Private key imported: KeyID ...
ssl_init private key file key.pem successfully loaded

Note that ssldebug.log MUST NOT contain any error messages about key not being used etc.

Now look at tshark.log, look for "Secure Socket Layer" sections one such section is shown below :

Secure Socket Layer

  SSL Record Layer: Handshake Protocol: Client Hello

      Content Type: Handshake (22)

      Version: TLS 1.0 (0x0301)

      Length: 168

      Handshake Protocol: Client Hello

          Handshake Type: Client Hello (1)

          Length: 164

          Version: TLS 1.0 (0x0301)


              gmt_unix_time: Mar  2, 2012 00:01:26.000000000

              random_bytes: .......

          Session ID Length: 0

          Cipher Suites Length: 72

          Cipher Suites (36 suites)

            Cipher Suite: Unknown (0x00ff)

            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

            Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)


In the end you can see SSL data being decrypted :

Decrypted SSL data (1 bytes):

0000  48                                                H

 Decrypted SSL data (225 bytes):

0000  54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a   TTP/1.1 200 OK..
0040  46 72 69 2c 20 30 32 20 4d 61 72 20 32 30 31 32   Fri, 02 Mar 2012
0050  20 30 39 3a 31 32 3a 32 38 20 47 4d 54 0d 0a 4c    09:12:28 GMT..L
0060  61 73 74 2d 6d 6f 64 69 66 69 65 64 3a 20 57 65   ast-modified: We
0070  64 2c 20 32 39 20 46 65 62 20 32 30 31 32 20 31   d, 29 Feb 2012 1
0080  31 3a 33 38 3a 31 39 20 47 4d 54 0d 0a 43 6f 6e   1:38:19 GMT..Con
0090  74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 31 39 0d   tent-length: 19.
00a0  0a 45 74 61 67 3a 20 22 31 33 2d 34 66 34 65 30   .Etag: "13-4f4e0
00b0  65 32 62 22 0d 0a 41 63 63 65 70 74 2d 72 61 6e   e2b"..Accept-ran
00c0  67 65 73 3a 20 62 79 74 65 73 0d 0a 0d 0a 54 68   ges: bytes....Th
00d0  69 73 20 69 73 20 69 6e 64 65 78 2e 68 74 6d 6c   is is index.html
00e0  0a                                                .

This log shows different stages of SSL

$grep "Handshake Protocol" tshark.log

    Handshake Protocol: Client Hello
    Handshake Protocol: Server Hello
    Handshake Protocol: Certificate
    Handshake Protocol: Server Hello Done
    Handshake Protocol: Client Key Exchange
    Handshake Protocol: Finished
    Handshake Protocol: Finished

Exporting Private Key from Wallet

If your product uses Oracle wallet instead of NSS DB, to extract the key and certificate from the Wallet you can use openssl command as shown below

$openssl pkcs12 -in ewallet.p12 -passin
pass:walletpassword -out ewallet.txt -nodes

MAC verified OK

If you look at this file it has  "-----BEGIN RSA PRIVATE
KEY-----" and "

$cat ewallet.txt

Bag Attributes

    localKeyID: ...

Key Attributes: <No Attributes>



Bag Attributes

    localKeyID: ...







Edit this file and copy only the lines starting with "
-----BEGIN RSA PRIVATE KEY-----" and ending with "

into a new file key.pem. Rest of the steps remain the same.

I wanted to check if we are getting "close notify" in a connection, I saw in the presentation


useful commands to get a particular field in tshark:

$tshark -G fields | fgrep "ssl." and hence used
$tshark -R "ssl.alert_message"


  1. http://wiki.wireshark.org/SSL
  2. https://forums.oracle.com/forums/thread.jspa?threadID=830575
  3. http://www.powershow.com/view/29ec1-OWNkM/SSL_Troubleshooting_with_Wireshark_and_Tshark_flash_ppt_presentation

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.