Debugging SSL with ssltap
Filed under: Engineering
Over the holidays I debugged a wierd problem with Jetty and Firefox: When Firefox accesses a Webapp running on Jetty over SSL, this will result in a SSLHandshakeException eventually.
To debug this problem, I use ssltap a little tool from Netscape/Mozilla. ssltab is something like a SSL proxy and writes all SSL traffic going through it to the console.
To install it on Windows it is required to download the ZIP file provided here (Unix/Linux is here, README) and copy bin/ssltap.exe and all file from lib/ to somewhere on your path. Additionally you will need the following DLLs on your path, which can be found in the the Firefox installation directory:
nspr4.dll plc4.dll plds4.dll
After that ssltap should be able to start. For example, this will let ssltap listen on port 4443 and forward the requrests to port 8443 on your local machine:
ssltap -sxlp 4443 localhost:8443
In my case ssltap I was able to figured out, that Firefox sends a ClientHelloV2 after the handshake failure:
alloclen = 63 bytes
(63 bytes of 63)
[Wed Jan 09 21:07:12 2008] [ssl2] ClientHelloV2 {
version = {0×03, 0×00}
cipher-specs-length = 36 (0×24)
sid-length = 0 (0×00)
challenge-length = 16 (0×10)
cipher-suites = {
(0×000039) TLS/DHE-RSA/AES256-CBC/SHA
(0×000038) TLS/DHE-DSS/AES256-CBC/SHA
(0×000035) TLS/RSA/AES256-CBC/SHA
(0×000033) TLS/DHE-RSA/AES128-CBC/SHA
(0×000032) TLS/DHE-DSS/AES128-CBC/SHA
(0×000004) SSL3/RSA/RC4-128/MD5
(0×000005) SSL3/RSA/RC4-128/SHA
(0×00002f) TLS/RSA/AES128-CBC/SHA
(0×000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0×000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0×00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0×00000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
session-id = { }
challenge = { 0×2ff5 0×68bd 0×2e11 0×903a 0xd40d 0×8809 0×86f7 0×8e0e }
}
]
This is especially wierd, as SSL v2 is disabled in Firefox 2.0. From analyzing SSL traffic and debugging Jetty I guess it seems that this is a race condition somewhere inside Jetty, which results in some response back to Firefox, which messes up the SSL session.
I have started a new thread in Sun’s JSSE forum and mozilla.dev.tech.crypto. I hope someone can help.
References:
[1] Mozilla Developer Center: Introduction to SSL
[2] Mozilla.org: Using the SSL Debugging Tool
Jan 9, 2008 at 22:14 | Permalink
Read more...
- Endpoints,Service Units and Components - a quick intro to JBI terminology for JBI newbies.
- Externalizing Configuration with Spring shows how to create simple config files for Spring applications.
- Mike Spille on XA Transactions Short post by Mike Spille on XA transactions. Good read as an intro.
- XBeans Intro by Craig Walls
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Aug | Feb » | |||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
2 Comments
1. Stefan Kleineikenscheidt &hellip | January 16th, 2008 at 10:48 pm
[…] I’ve been analyzing the Jetty SSL problem. […]
2. aviad | January 18th, 2010 at 5:30 pm
For ssl tap to run on windows (i checked on vista with ff 3.5) you also need to add the mozcrt19.dll to your path
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed