Charles Proxy is one of the most well known SSL debugging tools. Charles has got us out of a bunch of jams before, and we've always kept this around for when we need it:
# For Charles Proxy. ALL_PROXY is Curl specific #export HTTP_PROXY=http://localhost:2222/; export ALL_PROXY=http://localhost:2222/
Reinstalling Charles' root certificate after OS X updates is boring. You need to run:
# See if Charles' root certificate is installed keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep charles # Reinstall Charles' root certificate sudo keytool -import -alias charles -file /Applications/Charles.app//Contents/doc/charles-proxy-ssl-proxying-certificate.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass somePasswordButMyNotMyActualPassword
These drawbacks don't stop Charles from being a useful piece of software, and we'll keep Charles around. However if you just want to see the unencrypted contents of your SSL traffic from a web browsing session, and if that browser is Chrome or Firefox, there's a simpler solution.
Got a copy? Let's go:
sudo tcpdump -i en0 -s 0 tcp port https -w ~/Desktop/capture.pcap
en0 with your network interface as reported by
ifconfig (OS X) or
ip addr (Linux).
Stop any existing instances of Chrome or Firefox (whichever you're intending to use).
Then open a Terminal and run the following:
touch ~/Desktop/session-key.log export SSLKEYLOGFILE="~/Desktop/session-key.log"
Start either Chrome or Firefox:
open /Applications/Google\ Chrome.app
Browse to an https:// URL. It will start creating the session-key.log file.
If you like, you can watch it in a terminal:
tail -f ~/Desktop/session-key.log
If you're interested, the session key format is documented at Mozilla:
Open the .pcap file and visit Wireshark > Preferences. Under Protocols, scroll down to SSL and load the file. You can skip to just the https parts with the following filter:
And a specific host with:
ip.addr == 10.10.10.1
To look at a particular TCP session, right click on any of the entries and choose to “Follow SSL Stream”.
We hope you'll find the session keys method shown here is as useful as we do. You will probably want to keep Charles around for apps like wget and curl. That said, if the reason you're using wget or curl is to test a REST API, consider Postman: it's a Chrome app, so uses Chrome session keys. It's more REST-focused so you'll spend more time testing and less reading a manual page.
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!