OLD | NEW |
1 # Introduction | 1 # Debuggin SSL on Linux |
2 | 2 |
3 To help anyone looking at the SSL code, here are a few tips I've found handy. | 3 To help anyone looking at the SSL code, here are a few tips I've found handy. |
4 | 4 |
5 # Building your own NSS | 5 [TOC] |
6 | 6 |
7 In order to use a debugger with the NSS library, it helps to build NSS yourself.
Here's how I did it: | 7 ## Building your own NSS |
| 8 |
| 9 In order to use a debugger with the NSS library, it helps to build NSS yourself. |
| 10 Here's how I did it: |
8 | 11 |
9 First, read | 12 First, read |
10 http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.htm
l | 13 http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.htm
l |
11 and/or | 14 and/or |
12 https://developer.mozilla.org/En/NSS_reference/Building_and_installing_NSS/Build
_instructions | 15 https://developer.mozilla.org/En/NSS_reference/Building_and_installing_NSS/Build
_instructions |
13 | 16 |
14 Then, to build the most recent source tarball: | 17 Then, to build the most recent source tarball: |
15 ``` | 18 |
16 cd $HOME | 19 ```shell |
17 wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/s
rc/nss-3.12-with-nspr-4.7.tar.gz | 20 cd $HOME |
18 tar -xzvf nss-3.12-with-nspr-4.7.tar.gz | 21 wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/sr
c/nss-3.12-with-nspr-4.7.tar.gz |
19 cd nss-3.12/ | 22 tar -xzvf nss-3.12-with-nspr-4.7.tar.gz |
20 cd mozilla/security/nss/ | 23 cd nss-3.12/ |
21 make nss_build_all | 24 cd mozilla/security/nss/ |
| 25 make nss_build_all |
22 ``` | 26 ``` |
23 | 27 |
24 Sadly, the latest release, 3.12.2, isn't available as a tarball, so you have to
build it from cvs: | 28 Sadly, the latest release, 3.12.2, isn't available as a tarball, so you have to |
25 ``` | 29 build it from cvs: |
26 cd $HOME | 30 |
27 mkdir nss-3.12.2 | 31 ```shell |
28 cd nss-3.12.2 | 32 cd $HOME |
29 export CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot | 33 mkdir nss-3.12.2 |
30 cvs login | 34 cd nss-3.12.2 |
31 cvs co -r NSPR_4_7_RTM NSPR | 35 export CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot |
32 cvs co -r NSS_3_12_2_RTM NSS | 36 cvs login |
33 cd mozilla/security/nss/ | 37 cvs co -r NSPR_4_7_RTM NSPR |
34 make nss_build_all | 38 cvs co -r NSS_3_12_2_RTM NSS |
| 39 cd mozilla/security/nss/ |
| 40 make nss_build_all |
35 ``` | 41 ``` |
36 | 42 |
37 # Linking against your own NSS | 43 ## Linking against your own NSS |
38 | 44 |
39 Sadly, I don't know of a nice way to do this; I always do | 45 Sadly, I don't know of a nice way to do this; I always do |
40 ``` | 46 |
41 hammer --verbose net > log 2>&1 | 47 hammer --verbose net > log 2>&1 |
42 ``` | 48 |
43 then grab the line that links my app and put it into a shell script link.sh, | 49 then grab the line that links my app and put it into a shell script link.sh, |
44 and edit it to include the line | 50 and edit it to include the line |
45 ``` | |
46 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib | |
47 ``` | |
48 and insert a -L$DIR right before the -lnss3. | |
49 | 51 |
50 Note that hammer often builds the app in one, deeply buried, place, then copies
it into Hammer | 52 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib |
51 for ease of use. You'll probably want to make your link.sh do the same thing. | |
52 | 53 |
53 Then, after a source code change, do the usual "hammer net" followed by "sh link
.sh". | 54 and insert a `-L$DIR` right before the `-lnss3`. |
| 55 |
| 56 Note that hammer often builds the app in one, deeply buried, place, then copies |
| 57 it into Hammer for ease of use. You'll probably want to make your `link.sh` do |
| 58 the same thing. |
| 59 |
| 60 Then, after a source code change, do the usual `hammer net` followed by |
| 61 `sh link.sh`. |
54 | 62 |
55 Then, to run the resulting app, use a script like | 63 Then, to run the resulting app, use a script like |
56 | 64 |
57 # Running against your own NSS | 65 ## Running against your own NSS |
58 Create a script named 'run.sh' like this: | 66 |
59 ``` | 67 Create a script named `run.sh` like this: |
| 68 |
| 69 ```sh |
60 #!/bin/sh | 70 #!/bin/sh |
61 set -x | 71 set -x |
62 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib | 72 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib |
63 export LD_LIBRARY_PATH=$DIR | 73 export LD_LIBRARY_PATH=$DIR |
64 "$@" | 74 "$@" |
65 ``` | 75 ``` |
66 | 76 |
67 Then run your app with | 77 Then run your app with |
68 ``` | 78 |
69 sh run.sh Hammer/foo | 79 sh run.sh Hammer/foo |
70 ``` | |
71 | 80 |
72 Or, to debug it, do | 81 Or, to debug it, do |
73 ``` | |
74 sh run.sh gdb Hammer/foo | |
75 ``` | |
76 | 82 |
77 # Logging | 83 sh run.sh gdb Hammer/foo |
| 84 |
| 85 ## Logging |
78 | 86 |
79 There are several flavors of logging you can turn on. | 87 There are several flavors of logging you can turn on. |
80 | 88 |
81 * SSLClientSocketNSS can log its state transitions and function calls using ba
se/logging.cc. To enable this, edit net/base/ssl\_client\_socket\_nss.cc and ch
ange #if 1 to #if 0. See base/logging.cc for where the output goes (on Linux,
it's usually stderr). | 89 * `SSLClientSocketNSS` can log its state transitions and function calls using |
| 90 `base/logging.cc`. To enable this, edit `net/base/ssl_client_socket_nss.cc` |
| 91 and change `#if 1` to `#if 0`. See `base/logging.cc` for where the output |
| 92 goes (on Linux, it's usually stderr). |
82 | 93 |
83 * HttpNetworkTransaction and friends can log its state transitions using base/
trace\_event.cc. To enable this, arrange for your app to call base::TraceLog::
StartTracing(). The output goes to a file named trace...pid.log in the same dir
ectory as the executable (e.g. Hammer/trace\_15323.log). | 94 * `HttpNetworkTransaction` and friends can log its state transitions using |
| 95 `base/trace_event.cc`. To enable this, arrange for your app to call |
| 96 `base::TraceLog::StartTracing()`. The output goes to a file named |
| 97 `trace...pid.log` in the same directory as the executable (e.g. |
| 98 `Hammer/trace_15323.log`). |
84 | 99 |
85 * NSS itself can log some events. To enable this, set the envirnment variable
s SSLDEBUGFILE=foo.log SSLTRACE=99 SSLDEBUG=99 before running your app. | 100 * `NSS` itself can log some events. To enable this, set the environment |
| 101 variables `SSLDEBUGFILE=foo.log SSLTRACE=99 SSLDEBUG=99` before running |
| 102 your app. |
86 | 103 |
87 # Network Traces | 104 ## Network Traces |
88 | 105 |
89 http://wiki.wireshark.org/SSL describes how to decode SSL traffic. | 106 http://wiki.wireshark.org/SSL describes how to decode SSL traffic. Chromium SSL |
90 Chromium SSL unit tests that use src/net/base/ssl\_test\_util.cc to | 107 unit tests that use `net/base/ssl_test_util.cc` to set up their servers always |
91 set up thir servers always use port 9443 with src/net/data/ssl/certificates/ok\_
cert.pem, | 108 use port 9443 with `net/data/ssl/certificates/ok_cert.pem`, and port 9666 with |
92 and port 9666 with src/net/data/ssl/certificates/expired\_cert.pem | 109 `net/data/ssl/certificates/expired_cert.pem` This makes it easy to configure |
93 This makes it easy to configure Wireshark to decode the traffic: do | 110 Wireshark to decode the traffic: do |
| 111 |
94 Edit / Preferences / Protocols / SSL, and in the "RSA Keys List" box, enter | 112 Edit / Preferences / Protocols / SSL, and in the "RSA Keys List" box, enter |
95 ``` | 113 |
96 127.0.0.1,9443,http,<path to ok_cert.pem>;127.0.0.1,9666,http,<path to expired_c
ert.pem> | 114 127.0.0.1,9443,http,<path to ok_cert.pem>;127.0.0.1,9666,http,<path to expir
ed_cert.pem> |
97 ``` | 115 |
98 e.g. | 116 e.g. |
99 ``` | 117 |
100 127.0.0.1,9443,http,/home/dank/chromium/src/net/data/ssl/certificates/ok_cert.pe
m;127.0.0.1,9666,http,/home/dank/chromium/src/net/data/ssl/certificates/expired_
cert.pem | 118 127.0.0.1,9443,http,/home/dank/chromium/src/net/data/ssl/certificates/ok_cer
t.pem;127.0.0.1,9666,http,/home/dank/chromium/src/net/data/ssl/certificates/expi
red_cert.pem |
101 ``` | 119 |
102 Then capture all tcp traffic on interface lo, and run your test. | 120 Then capture all tcp traffic on interface lo, and run your test. |
103 | 121 |
104 # Valgrinding NSS | 122 ## Valgrinding NSS |
105 | 123 |
106 Read https://developer.mozilla.org/en/NSS_Memory_allocation and do | 124 Read https://developer.mozilla.org/en/NSS_Memory_allocation and do |
107 ``` | 125 |
108 export NSS_DISABLE_ARENA_FREE_LIST=1 | 126 export NSS_DISABLE_ARENA_FREE_LIST=1 |
109 ``` | 127 |
110 before valgrinding if you want to find where a block was originally | 128 before valgrinding if you want to find where a block was originally allocated. |
111 allocated. | |
112 | 129 |
113 If you get unsymbolized entries in NSS backtraces, try setting: | 130 If you get unsymbolized entries in NSS backtraces, try setting: |
114 ``` | |
115 export NSS_DISABLE_UNLOAD=1 | |
116 ``` | |
117 | 131 |
118 (Note that if you use the Chromium valgrind scripts like tools/valgrind/chrome\_
tests.sh or tools/valgrind/valgrind.sh these will both be set automatically.) | 132 export NSS_DISABLE_UNLOAD=1 |
119 | 133 |
120 # Support forums | 134 (Note that if you use the Chromium valgrind scripts like |
| 135 `tools/valgrind/chrome_tests.sh` or `tools/valgrind/valgrind.sh` these will both |
| 136 be set automatically.) |
| 137 |
| 138 ## Support forums |
121 | 139 |
122 If you have nonconfidential questions about NSS, check the newsgroup | 140 If you have nonconfidential questions about NSS, check the newsgroup |
123 > http://groups.google.com/group/mozilla.dev.tech.crypto | 141 http://groups.google.com/group/mozilla.dev.tech.crypto The NSS maintainer |
124 The NSS maintainer monitors that group and gives good answers. | 142 monitors that group and gives good answers. |
OLD | NEW |