{"id":13843283,"url":"https://github.com/neykov/extract-tls-secrets","last_synced_at":"2026-04-19T14:13:25.978Z","repository":{"id":28063962,"uuid":"31560823","full_name":"neykov/extract-tls-secrets","owner":"neykov","description":"Decrypt HTTPS/TLS connections on the fly with Wireshark","archived":false,"fork":false,"pushed_at":"2026-04-10T12:12:11.000Z","size":148,"stargazers_count":453,"open_issues_count":0,"forks_count":78,"subscribers_count":7,"default_branch":"master","last_synced_at":"2026-04-10T14:14:15.248Z","etag":null,"topics":["decrypt","https","java","ssl","tls","wireshark"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neykov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2015-03-02T20:15:05.000Z","updated_at":"2026-04-10T12:12:20.000Z","dependencies_parsed_at":"2024-11-30T14:06:25.248Z","dependency_job_id":"12ab855e-134e-4329-a46a-d11d405fa2a1","html_url":"https://github.com/neykov/extract-tls-secrets","commit_stats":{"total_commits":59,"total_committers":6,"mean_commits":9.833333333333334,"dds":"0.23728813559322037","last_synced_commit":"ebb6e6e2e30b837829d45188d30f6777994c4dd0"},"previous_names":["neykov/extract-ssl-secrets"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/neykov/extract-tls-secrets","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neykov","download_url":"https://codeload.github.com/neykov/extract-tls-secrets/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neykov%2Fextract-tls-secrets/sbom","scorecard":{"id":682441,"data":{"date":"2025-08-11","repo":{"name":"github.com/neykov/extract-tls-secrets","commit":"ebb6e6e2e30b837829d45188d30f6777994c4dd0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.2,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/tests.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/neykov/extract-tls-secrets/tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/neykov/extract-tls-secrets/tests.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":1,"reason":"Found 4/25 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v4.0.0 not signed: https://api.github.com/repos/neykov/extract-tls-secrets/releases/25650946","Warn: release artifact v3.0.0 not signed: https://api.github.com/repos/neykov/extract-tls-secrets/releases/23132635","Warn: release artifact v2.0.0 not signed: https://api.github.com/repos/neykov/extract-tls-secrets/releases/5500290","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/neykov/extract-tls-secrets/releases/4885263","Warn: release artifact v4.0.0 does not have provenance: https://api.github.com/repos/neykov/extract-tls-secrets/releases/25650946","Warn: release artifact v3.0.0 does not have provenance: https://api.github.com/repos/neykov/extract-tls-secrets/releases/23132635","Warn: release artifact v2.0.0 does not have provenance: https://api.github.com/repos/neykov/extract-tls-secrets/releases/5500290","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/neykov/extract-tls-secrets/releases/4885263"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 9 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-21T23:38:05.425Z","repository_id":28063962,"created_at":"2025-08-21T23:38:05.425Z","updated_at":"2025-08-21T23:38:05.425Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32009304,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T20:23:30.271Z","status":"online","status_checked_at":"2026-04-19T02:00:07.110Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decrypt","https","java","ssl","tls","wireshark"],"created_at":"2024-08-04T17:01:58.673Z","updated_at":"2026-04-19T14:13:25.969Z","avatar_url":"https://github.com/neykov.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# extract-tls-secrets\n\nDecrypt HTTPS/TLS connections on-the-fly. Extract the shared secrets from \nsecure TLS connections for use with [Wireshark](https://www.wireshark.org/).\nAttach to a Java process on either side of the connection to start decrypting.\n\n## Usage\n\nDownload from [extract-tls-secrets-5.0.0.jar](https://repo1.maven.org/maven2/name/neykov/extract-tls-secrets/5.0.0/extract-tls-secrets-5.0.0.jar).\nThen attach to a Java process in one of two ways:\n\n### Attach on startup \n\nAdd a startup argument to the JVM options: `-javaagent:\u003cpath to jar\u003e/extract-tls-secrets-5.0.0.jar=\u003cpath to secrets log file\u003e`\n\nFor example to launch an application from a jar file run:\n\n```shell script\njava -javaagent:~/Downloads/extract-tls-secrets-5.0.0.jar=/tmp/secrets.log -jar MyApp.jar\n```\n\nTo launch in Tomcat add the parameter to `CATALINA_OPTS`:\n\n```shell script\nCATALINA_OPTS=-javaagent:~/Downloads/extract-tls-secrets-5.0.0.jar=/tmp/secrets.log bin/catalina.sh run\n```\n\n### Attach to a running process\n\nAttaching to an existing Java process requires a JDK install with `JAVA_HOME` \npointing to it.\n\nTo list the available process IDs run:\n\n```\njava -jar ~/Downloads/extract-tls-secrets-5.0.0.jar list\n```\n\nNext attach to the process by executing:\n\n```\njava -jar ~/Downloads/extract-tls-secrets-5.0.0.jar attach \u003cpid\u003e /tmp/secrets.log\n```\n\nIf no secrets file path is given, secrets are written to `tls-master-secrets.txt` in the current\nworking directory. Relative paths are resolved against the directory where the command is run,\nnot the target process's working directory.\n\n### Detach from a running process\n\nTo stop secrets logging without restarting the target process:\n\n```\njava -jar ~/Downloads/extract-tls-secrets-5.0.0.jar detach \u003cpid\u003e\n```\n\nDetaching is safe: the target process continues running normally and the agent can be re-attached\nlater to resume logging.\n\n### Decrypt the capture in Wireshark\n\nTo decrypt the capture you need to let Wireshark know where the secrets file is. \nConfigure the path in\n`Preferences \u003e Protocols \u003e TLS \u003e (Pre)-Master-Secret log filename`.\n\nAlternatively start Wireshark with:\n\n```\nwireshark -o tls.keylog_file:/tmp/secrets.log\n```\n\nThe packets will be decrypted in real-time.\n\nFor a step-by-step tutorial of using the secrets log file (SSLKEYLOGFILE as referenced usually)\nrefer to the Peter Wu's [Debugging TLS issues with Wireshark](https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19eu.pdf)\npresentation. Even more information can be found at the [Wireshark TLS](https://wiki.wireshark.org/TLS) page. \n\n## Requirements\n\nRequires at least Oracle/OpenJDK Java 6. Supports the following TLS providers:\n\n- Oracle/OpenJDK built-in JSSE (all supported Java versions)\n- IBM JSSE2 (`ibmjava:8`)\n- Bouncy Castle JSSE (`bcjsse` 1.57+)\n\nConscrypt is not supported.\n\n## Building\n\n```\ngit clone https://github.com/neykov/extract-tls-secrets.git\ncd extract-tls-secrets\nmvn clean package\n```\n\nRunning the integration tests requires Docker to be installed on the system:\n\n```shell script\nmvn verify\n```\n\n## Troubleshooting\n\nIf you get an empty window after selecting \"Follow/TLS Stream\" from the context menu\nor are not seeing HTTP protocol packets in the packet list then you can fix this by either:\n  * Save the capture as a file and open it again\n  * In the Wireshark settings in \"Procotols/TLS\" toggle \"Reassemble TLS Application Data spanning multiple SSL records\".\n  The exact state of the checkbox doesn't matter, but it will force a reload which will force proper decryption of the packets.\n\nThe bug seems to be related to the UI side of wireshark as the TLS debug logs show the message successfully being decrypted.\n\nReports of the problem:\n  * https://ask.wireshark.org/questions/33879/ssl-decrypt-shows-ok-in-ssl-debug-file-but-not-in-wireshark\n  * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9154\n\n\nIf \"Follow/TLS Stream\" is not enabled the server is probably on a non-standard port so Wireshark can't infer that the \npackets contain TLS traffic. To hint it that it should be decoding the packets as TLS \nright click on any of the packets to open the context menu, select \"Decode As\" and add \nthe server port, select \"TLS\" protocol in the \"Current\" column. If it's still not able \nto decrypt try the same by saving the capture in a file and re-opening it.\n\n### Warnings during agent loading\n\n#### EnableDynamicAgentLoading\n\nStarting with Java 21, upon attaching the agent, the target process will print\nthe following warning:\n\n\u003e WARNING: A Java agent has been loaded dynamically\n\u003e WARNING: If a serviceability tool is in use, please run with -XX:+EnableDynamicAgentLoading to hide this warning\n\u003e WARNING: If a serviceability tool is not in use, please run with -Djdk.instrument.traceUsage for more information\n\u003e WARNING: Dynamic loading of agents will be disallowed by default in a future release\n\nThe warning is informational and does not lead to broken functionality. To suppress\nthe warning add `-XX:+EnableDynamicAgentLoading` to the startup options of the target process.\n\nIf the target process has disabled dynamic agent loading by setting\n`-XX:-EnableDynamicAgentLoading` at startup, then attaching will fail with:\n\u003e Failed to load agent library: Dynamic agent loading is not enabled. Use -XX:+EnableDynamicAgentLoading to launch target VM.\n\nMore details can be found in [JEP 451](https://openjdk.org/jeps/451).\n\n\u003c!-- \nThe warning has been introduced in:\nPEP: https://openjdk.org/jeps/451\nTicket: https://bugs.openjdk.org/browse/JDK-8306275\nCommit: https://github.com/openjdk/jdk/commit/5bd2af26e66a863edc670229444b3282ba639563#diff-b15006727d01f54cc5d9a7d8ba6629f5445c136ddb94893d89ba359a6fe11e17R517\n--\u003e\n\n#### Class path has been appended\n\nWhen the agent is loaded in the target process, the JVM will print the following warning:\n\n\u003e OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader\n\u003e classes because bootstrap classpath has been appended.\n\nThis is expected behaviour since the agent modifies the bootstrap classpath during initialisation. \nThe warning exists since [Java 10](https://docs.oracle.com/javase/8/docs/technotes/guides/vm/class-data-sharing.html)\nwhen the classpath data sharing functionaity has been implemented.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneykov%2Fextract-tls-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneykov%2Fextract-tls-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneykov%2Fextract-tls-secrets/lists"}