Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


A tiny command-line utility for automated Wireshark SSL key (NSS) files creation from Java SSL debug logs.
These files can be used to decrypt HTTPS (or any other SSL/TLS) traffic produced by Java application.

💡 To catch the idea of how it can be used please refer to this article (in russian).


  • Both RSA and Diffie-Hellman (PFS) negotiation modes support;
  • Various argument values support (the :data value suffix is required);
  • Various logging application's JRE versions support (from 6 to 8);
  • Multiple independent consecutive SSL sessions support;
  • Customizable output file creation modes: skip, rewrite, append (useful for combining with other tools);
  • Light-weight pure Java application with no external dependencies (just JRE).


You can always get the freshest verion of NSS Java Maker on the latest release page.


NSS Java Maker is distributed under GNU General Public License V3. For more info see LICENSE.txt.

System Requirements

NSS Java Maker requires only JRE 8+ to start.


⚠️ Please note that use of this utility is just one intermediate step in the more complex process of Java SSL/TLS traffic decryption. Traffic capturing and SSL debug logging precede this step; Wireshark decrypting follows it. To get familiar with the process in whole please refer to article "Decrypting Java applications' TLS traffic via logs" or author's article in Hacker computer magazine (both in russian).

Basic usage

The only thing you should point for NSS Java Maker to start is the path to input Java SSL log:

java -jar nssjavamaker.jar some/directory/java-ssl-debug.log

By default the utility produces output file named session-keys.nss in the same directory.

Additional options usage

1️⃣ Output file path can be customized with -out: option, e.g.:

java -jar nssjavamaker.jar -out:export/session-5.nss some/directory/java-ssl-debug.log

This time the results will be saved in session-5.nss file of the export directory (resolved against current working directory).

2️⃣ You can also setup how output file will be treated in case if it already exists. This is defined by -outMode: option, e.g.:

java -jar nssjavamaker.jar -out:export/session-5.nss -outmode:append some/directory/java-ssl-debug.log

Launched this way the utility will append the result to file export/session-5.nss if it already exists. In case the option has SKIP value the utility will stop running and print appropriate message to console; this is the default behavior. The last value for the -outMode: option is REWRITE which means erasing all the previous content of output file and filling it with the last launch results.

3️⃣ In case your input log file contains some national characters which are not well treated with JVM's default charset, you may need to specify the input file encoding with the -encoding: option:

java -jar nssjavamaker.jar -encoding:CP1253 some/directory/some-foreign-dump.log

Being set to CP1253 the input log file will be treated by the utility with the specified encoding, not JVM's default. The value of the option is just usual canonical name or alias of appropriate charset.

ℹ️ Remember that you can always get a short usage help if you start NSS Java Maker with no arguments.


In the current version NSS Java Maker has the following limitations:

  • Multi-threaded SSL/TLS communication logs are not supported.
    It means that if your Java application writes log from several simultaneously running threads (each with SSL activity) then proper result are not guaranteed.
  • :data-disabled log mode are not supported.
    It means that NSS Java Maker would not be able to extract SSL key parameters from log in case of hex dumps' absence (when :data part of option is not set).

Feedback & contacts

If you found a bug or need a feature in the utility please feel free to create issues in the project's repository or contact the author directly:


A tiny utility for creating Wireshark SSL keys files (in NSS format) from Java SSL debug logs.







No packages published