Keylog capture not working with OpenSSL 1.1.0 #533

AmazingPP · 2024-04-28T07:43:54Z

Describe the bug

When using the ecapture tool with OpenSSL 1.1.0 to capture keylog data with the -m keylog option, no output is generated.

To Reproduce

Steps to reproduce the behavior:

Clone the ecapture repository using git clone https://github.com/gojue/ecapture.git
Compile OpenSSL 1.1.0a from source and install it in /opt/openssl
Compile curl with the provided OpenSSL 1.1.0 library
Start ecapture in text mode to capture TLS traffic using sudo ./bin/ecapture tls --libssl=/opt/openssl/lib/libssl.so.1.1
Initiate an HTTPS request using a tool compiled against the same OpenSSL 1.1.0 library (e.g., curl)
Observe that the decrypted TLS traffic is correctly captured and displayed
Stop the ecapture process
Attempt to capture keylog data using sudo ./bin/ecapture tls -m keylog -k ecapture.txt --libssl=/opt/openssl/lib/libssl.so.1.1
No output is generated in the ecapture.txt file

Expected behavior

When using the -m keylog option with OpenSSL 1.1.0, ecapture should capture and output keylog data to the specified file (ecapture.txt in this case).

Screenshots

I cannot provide screenshots directly, but here is the relevant output from the terminal:

$ sudo ./bin/ecapture tls --libssl=/opt/openssl/lib/libssl.so.1.1
# ... TLS decryption output ...

$ sudo ./bin/ecapture tls -m keylog -k ecapture.txt --libssl=/opt/openssl/lib/libssl.so.1.1
# No output in ecapture.txt

Linux Server:

OS: Ubuntu 20.04.6 LTS
Arch: x86_64
Kernel Version: 5.4.0-176-generic
Version: a8acece

Additional context

This issue seems to be specific to the OpenSSL 1.1.0 version. I have tried reproducing this issue on multiple Linux distributions and kernel versions, and the behavior is consistent with OpenSSL 1.1.0. It seems that the keylog capture functionality is not working as expected with this particular OpenSSL version, despite TLS decryption working correctly. I would appreciate if this issue could be investigated and resolved for OpenSSL 1.1.0 compatibility.

The text was updated successfully, but these errors were encountered:

AmazingPP · 2024-04-28T11:04:38Z

The issue seems to be related to the incorrect assignment of the OpenSSL offset for OpenSSL 1.1.0 in the probe_openssl_lib.go file.

ecapture/user/module/probe_openssl_lib.go

Line 107 in a8acece

m.sslVersionBpfMap["openssl 1.1.0"+string(ch)] = "openssl_1_1_1a_kern.o"

After correcting the file assignment, the keylog capture starts working, but the captured data appears to be incorrect.

the problem was the `client_random` member having different offsets within the `ssl3_state_st` structure across various OpenSSL versions Fixes gojue#533

cfc4n · 2024-04-28T15:10:16Z

Can text mode work?

AmazingPP · 2024-04-28T15:41:54Z

Can text mode work?

Yes, the text mode works normally.

* user : fixed the incorrect assignment of the OpenSSL offset for OpenSSL 1.1.0 * kern: fix incorrect client_random capture for different OpenSSL versions the problem was the `client_random` member having different offsets within the `ssl3_state_st` structure across various OpenSSL versions Fixes #533

cfc4n added good first issue Good for newcomers invalid This doesn't seem right labels Apr 28, 2024

AmazingPP mentioned this issue Apr 28, 2024

Fix keylog mode not working correctly on certain OpenSSL versions #534

Merged

cfc4n closed this as completed in #534 Apr 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keylog capture not working with OpenSSL 1.1.0 #533

Keylog capture not working with OpenSSL 1.1.0 #533

AmazingPP commented Apr 28, 2024

AmazingPP commented Apr 28, 2024

cfc4n commented Apr 28, 2024

AmazingPP commented Apr 28, 2024

Keylog capture not working with OpenSSL 1.1.0 #533

Keylog capture not working with OpenSSL 1.1.0 #533

Comments

AmazingPP commented Apr 28, 2024

AmazingPP commented Apr 28, 2024

cfc4n commented Apr 28, 2024

AmazingPP commented Apr 28, 2024