{"id":13843283,"url":"https://github.com/neykov/extract-tls-secrets","last_synced_at":"2025-04-08T09:08:35.150Z","repository":{"id":28063962,"uuid":"31560823","full_name":"neykov/extract-tls-secrets","owner":"neykov","description":"Decrypt HTTPS/TLS connections on the fly with Wireshark","archived":false,"fork":false,"pushed_at":"2024-10-13T11:29:30.000Z","size":116,"stargazers_count":419,"open_issues_count":6,"forks_count":73,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-01T07:52:11.814Z","etag":null,"topics":["decrypt","https","java","ssl","tls","wireshark"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neykov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-03-02T20:15:05.000Z","updated_at":"2025-03-22T10:28:06.000Z","dependencies_parsed_at":"2024-11-30T14:06:25.248Z","dependency_job_id":"12ab855e-134e-4329-a46a-d11d405fa2a1","html_url":"https://github.com/neykov/extract-tls-secrets","commit_stats":{"total_commits":59,"total_committers":6,"mean_commits":9.833333333333334,"dds":"0.23728813559322037","last_synced_commit":"ebb6e6e2e30b837829d45188d30f6777994c4dd0"},"previous_names":["neykov/extract-ssl-secrets"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neykov","download_url":"https://codeload.github.com/neykov/extract-tls-secrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247809962,"owners_count":20999816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decrypt","https","java","ssl","tls","wireshark"],"created_at":"2024-08-04T17:01:58.673Z","updated_at":"2025-04-08T09:08:35.130Z","avatar_url":"https://github.com/neykov.png","language":"Java","readme":"# extract-tls-secrets\n\nDecrypt HTTPS/TLS connections on-the-fly. Extract the shared secrets from \nsecure TLS connections for use with [Wireshark](https://www.wireshark.org/).\nAttach to a Java process on either side of the connection to start decrypting.\n\n## Usage\n\nDownload from [extract-tls-secrets-4.0.0.jar](https://repo1.maven.org/maven2/name/neykov/extract-tls-secrets/4.0.0/extract-tls-secrets-4.0.0.jar).\nThen attach to a Java process in one of two ways:\n\n### Attach on startup \n\nAdd a startup argument to the JVM options: `-javaagent:\u003cpath to jar\u003e/extract-tls-secrets-4.0.0.jar=\u003cpath to secrets log file\u003e`\n\nFor example to launch an application from a jar file run:\n\n```shell script\njava -javaagent:~/Downloads/extract-tls-secrets-4.0.0.jar=/tmp/secrets.log -jar MyApp.jar\n```\n\nTo launch in Tomcat add the parameter to `CATALINA_OPTS`:\n\n```shell script\nCATALINA_OPTS=-javaagent:~/Downloads/extract-tls-secrets-4.0.0.jar=/tmp/secrets.log bin/catalina.sh run\n```\n\n### Attach to a running process\n\nAttaching to an existing Java process requires a JDK install with `JAVA_HOME` \npointing to it.\n\nTo list the available process IDs run:\n\n```\njava -jar ~/Downloads/extract-tls-secrets-4.0.0.jar list\n```\n\nNext attach to the process by executing:\n\n```\njava -jar ~/Downloads/extract-tls-secrets-4.0.0.jar \u003cpid\u003e /tmp/secrets.log\n```\n\n### Decrypt the capture in Wireshark\n\nTo decrypt the capture you need to let Wireshark know where the secrets file is. \nConfigure the path in\n`Preferences \u003e Protocols \u003e TLS (SSL for older versions) \u003e (Pre)-Master-Secret log filename`.\n\nAlternatively start Wireshark with:\n\n```\nwireshark -o tls.keylog_file:/tmp/secrets.log\n```\n\nThe packets will be decrypted in real-time.\n\nFor a step by step tutorial of using the secrets log file (SSLKEYLOGFILE as referenced usually)\nrefer to the Peter Wu's [Debugging TLS issues with Wireshark](https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19eu.pdf)\npresentation. Even more information can be found at the [Wireshark TLS](https://wiki.wireshark.org/TLS) page. \n\n## Requirements\n\nRequires at least Oracle/OpenJDK Java 6. Does not support IBM Java and custom \nsecurity providers like Bouncy Castle, Conscrypt.\n\n## Building\n\n```\ngit clone https://github.com/neykov/extract-tls-secrets.git\ncd extract-tls-secrets\nmvn clean package\n```\n\nRunning the integration tests requires Docker to be installed on the system:\n\n```shell script\nmvn verify\n```\n\n## Troubleshooting\n\nIf you get an empty window after selecting \"Follow/TLS Stream\" from the context menu\nor are not seeing HTTP protocol packets in the packet list then you can fix this by either:\n  * Save the capture as a file and open it again\n  * In the Wireshark settings in \"Procotols/TLS\" toggle \"Reassemble TLS Application Data spanning multiple SSL records\".\n  The exact state of the checkbox doesn't matter, but it will force a reload which will force proper decryption of the packets.\n\nThe bug seems to be related to the UI side of wireshark as the TLS debug logs show the message successfully being decrypted.\n\nReports of the problem:\n  * https://ask.wireshark.org/questions/33879/ssl-decrypt-shows-ok-in-ssl-debug-file-but-not-in-wireshark\n  * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9154\n\n\nIf \"Follow/TLS Stream\" is not enabled the server is probably on a non-standard port so Wireshark can't infer that the \npackets contain TLS traffic. To hint it that it should be decoding the packets as TLS \nright click on any of the packets to open the context menu, select \"Decode As\" and add \nthe server port, select \"TLS\" protocol in the \"Current\" column. If it's still not able \nto decrypt try the same by saving the capture in a file and re-opening it.\n","funding_links":[],"categories":["Java"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneykov%2Fextract-tls-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneykov%2Fextract-tls-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneykov%2Fextract-tls-secrets/lists"}