Home > Network Management > wget-ssl-debug-log

wget-ssl-debug-log: SSL Debug Logging

`wget-ssl-debug-log` is a specialized script or build for diagnosing SSL/TLS connection issues and generating detailed debug logs using the `wget` command. Unlike typical `wget` usage, this tool focuses on in-depth analysis of network security-related problems encountered during the connection process, such as SSL handshake and certificate validation errors. It is primarily utilized by developers and system administrators to resolve complex SSL communication failures.

Overview

`wget-ssl-debug-log` enables `wget`'s SSL debug functionality and aids in troubleshooting SSL/TLS communication problems by analyzing the detailed logs generated. It records low-level SSL handshake information, certificate chain validation processes, and cipher suite negotiation data, which are not visible during normal `wget` usage.

Key Features

  • Detailed SSL/TLS handshake logging
  • Tracking certificate validation process
  • Recording cipher suite and protocol negotiation information
  • Diagnosing network security issues

Key Options

As `wget-ssl-debug-log` internally uses the `wget` command, you can leverage `wget`'s various options. The following are `wget` options particularly useful for SSL debugging.

SSL/TLS Related

Output/Logging

Generated command:

Try combining the commands.

Description:

`wget-ssl-debug-log` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

`wget-ssl-debug-log` is primarily used to diagnose SSL/TLS connection issues for specific URLs. Here are a few common usage examples.

Basic SSL Debug Logging

wget-ssl-debug-log https://badssl.com/expired/

Generates detailed SSL debug logs for the specified URL. Logs are also displayed on standard output.

Saving Logs to a Specific File

wget-ssl-debug-log https://example.com/ -o my_ssl_debug.log

Saves debug logs to a separate file (depends on script implementation).

Ignoring Certificate Validation (Caution)

wget-ssl-debug-log --no-check-certificate https://self-signed.badssl.com/

When certificate validation errors occur, you can use the `--no-check-certificate` option to bypass validation and attempt the connection while obtaining debug information. This is useful for problem diagnosis but is a security risk and should not be used in production environments.

Installation

`wget-ssl-debug-log` is not a command included by default in standard Linux distributions. It is typically achieved by enabling specific debug options when compiling `wget` from source code or by creating a custom shell script that wraps `wget`. Here are common approaches.

Method 1: Compile `wget` from Source (Recommended)

To compile `wget` for SSL debug logging, you need to add the `--enable-debug` option to the `configure` script along with the OpenSSL libraries. This method provides the most detailed SSL debug information.

sudo apt update && sudo apt install -y build-essential libssl-dev
cd /tmp
wget https://ftp.gnu.org/gnu/wget/wget-1.21.4.tar.gz # Check for the latest version
tar -xzf wget-1.21.4.tar.gz
cd wget-1.21.4
./configure --with-ssl=openssl --enable-debug
make
sudo make install

Example: Compiling `wget` from Source

Method 2: Create a Shell Script

You can create a shell script for SSL debug logging by leveraging your existing `wget` installation. This method combines `wget`'s `--debug` option with system call tracing tools like `strace` or `ltrace`. While simpler than compiling, the depth of debug information provided may differ.

#!/bin/bash

# wget-ssl-debug-log.sh

LOG_FILE="wget_ssl_debug_$(date +%Y%m%d_%H%M%S).log"

echo "[$(date)] Starting wget with SSL debug logging..."
echo "Log file: $LOG_FILE"

# Use wget's --debug option and stderr redirection for detailed logging
# Set OpenSSL related environment variables if necessary

# Example: SSL debug logging for a specific URL
# In actual use, accept arguments using "$@"

# OpenSSL debug environment variables (OpenSSL 1.1.0 and later)
# export SSLKEYLOGFILE="ssl_key_log.txt" # Log TLS master keys for Wireshark analysis

# Use wget --debug option
wget --debug "$@" 2>&1 | tee -a "$LOG_FILE"

# Use strace for system call tracing (optional)
# strace -o "${LOG_FILE%.log}_strace.log" wget "$@"

echo "[$(date)] Debugging complete. Check $LOG_FILE for details."

Example: `wget-ssl-debug-log.sh` Script

chmod +x wget-ssl-debug-log.sh
sudo mv wget-ssl-debug-log.sh /usr/local/bin/wget-ssl-debug-log

Granting Execute Permissions and Moving the Script

Tips & Precautions

SSL debug logging provides very detailed information, which can lead to large log files. It is recommended to disable debug mode or clean up log files after problem resolution.

Log Analysis Tips

Searching for the following keywords in the generated log files can help with problem resolution:

  • `ERROR`
  • `FAIL`
  • `certificate`
  • `handshake`
  • `protocol`
  • `cipher`
  • `peer`

Security Warning

The `--no-check-certificate` option poses a security risk and should only be used for diagnostic purposes, never in production environments.

  • Increased risk of data interception when using `--no-check-certificate`
  • Always recommended to use valid certificates

Utilizing OpenSSL Environment Variables

To enable debug logging for the OpenSSL library itself, you can set the `SSLKEYLOGFILE` environment variable to record TLS master keys. This file can be used by network analysis tools like Wireshark to decrypt encrypted traffic.

export SSLKEYLOGFILE="/tmp/ssl_key_log.txt"
wget-ssl-debug-log https://example.com/
# Decrypt traffic in Wireshark using the ssl_key_log.txt file

Example: TLS Master Key Logging

Same category commands

aria2c

aria2c: A Multi-Protocol Download Utility

curl

curl -I: Check HTTP Header Information

curl

curl: HTTP Requests and File Transfer (Silent Mode)

curl-verbose

curl-verbose: Detailed output of curl's communication

dig

dig: DNS Information Lookup