docs/linux_debugging_ssl.md - Issue 1921743002: Removing debugging information for NSS and Valgrind Suppressions

Side by Side Diff: docs/linux_debugging_ssl.md

Issue 1921743002: Removing debugging information for NSS and Valgrind Suppressions (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix comments. Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 # Debuggin SSL on Linux	1 # Debugging SSL on Linux

2	2

3 To help anyone looking at the SSL code, here are a few tips I've found handy.	3 To help anyone looking at the SSL code, here are a few tips I've found handy.

4	4

5 [TOC]	5 [TOC]

6	6

7 ## Building your own NSS

8

9 In order to use a debugger with the NSS library, it helps to build NSS yourself.

10 Here's how I did it:

11

12 First, read

13 [Network Security Services](http://www.mozilla.org/projects/security/pki/nss/nss -3.11.4/nss-3.11.4-build.html)

14 and/or

15 [Build instructions](https://developer.mozilla.org/En/NSS_reference/Building_and _installing_NSS/Build_instructions).

16

17 Then, to build the most recent source tarball:

18

19 ```shell

20 cd $HOME

21 wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/sr c/nss-3.12-with-nspr-4.7.tar.gz

22 tar -xzvf nss-3.12-with-nspr-4.7.tar.gz

23 cd nss-3.12/

24 cd mozilla/security/nss/

25 make nss_build_all

26 ```

27

28 Sadly, the latest release, 3.12.2, isn't available as a tarball, so you have to

29 build it from cvs:

30

31 ```shell

32 cd $HOME

33 mkdir nss-3.12.2

34 cd nss-3.12.2

35 export CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot

36 cvs login

37 cvs co -r NSPR_4_7_RTM NSPR

38 cvs co -r NSS_3_12_2_RTM NSS

39 cd mozilla/security/nss/

40 make nss_build_all

41 ```

42

43 ## Linking against your own NSS

44

45 Sadly, I don't know of a nice way to do this; I always do

46

47 hammer --verbose net > log 2>&1

48

49 then grab the line that links my app and put it into a shell script link.sh,

50 and edit it to include the line

51

52 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib

53

54 and insert a `-L$DIR` right before the `-lnss3`.

55

56 Note that hammer often builds the app in one, deeply buried, place, then copies

57 it into Hammer for ease of use. You'll probably want to make your `link.sh` do

58 the same thing.

59

60 Then, after a source code change, do the usual `hammer net` followed by

61 `sh link.sh`.

62

63 Then, to run the resulting app, use a script like

64

65 ## Running against your own NSS

66

67 Create a script named `run.sh` like this:

68

69 ```sh

70 #!/bin/sh

71 set -x

72 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib

73 export LD_LIBRARY_PATH=$DIR

74 "$@"

75 ```

76

77 Then run your app with

78

79 sh run.sh Hammer/foo

80

81 Or, to debug it, do

82

83 sh run.sh gdb Hammer/foo

84

85 ## Logging	7 ## Logging

86	8

87 There are several flavors of logging you can turn on.	9 There are several flavors of logging you can turn on.

88	10

89 * `SSLClientSocketNSS` can log its state transitions and function calls using	11 * `SSLClientSocketImpl` can log its state transitions and function calls
	davidben 2016/04/25 19:50:04 [I forget what order things were landing in what, [I forget what order things were landing in what, but you might want to tweak this if the SSLClientSocketImpl CL ends up second.]
90 `base/logging.cc`. To enable this, edit `net/base/ssl_client_socket_nss.cc`	12 using `base/logging.cc`. To enable this, edit

91 and change `#if 1` to `#if 0`. See `base/logging.cc` for where the output	13 `net/socket/ssl_client_socket_impl.cc` and change `#if 1` to `#if 0`. See

92 goes (on Linux, it's usually stderr).	14 `base/logging.cc` for where the output goes (on Linux, usually stderr).

93	15

94 * `HttpNetworkTransaction` and friends can log its state transitions using	16 * `HttpNetworkTransaction` and friends can log its state transitions using

95 `base/trace_event.cc`. To enable this, arrange for your app to call	17 `base/trace_event.cc`. To enable this, arrange for your app to call

96 `base::TraceLog::StartTracing()`. The output goes to a file named	18 `base::TraceLog::StartTracing()`. The output goes to a file named

97 `trace...pid.log` in the same directory as the executable (e.g.	19 `trace...pid.log` in the same directory as the executable (e.g.

98 `Hammer/trace_15323.log`).	20 `Hammer/trace_15323.log`).

99	21

100 * `NSS` itself can log some events. To enable this, set the environment

101 variables `SSLDEBUGFILE=foo.log SSLTRACE=99 SSLDEBUG=99` before running

102 your app.

103

104 ## Network Traces	22 ## Network Traces

105	23

106 http://wiki.wireshark.org/SSL describes how to decode SSL traffic. Chromium SSL	24 http://wiki.wireshark.org/SSL describes how to decode SSL traffic. Chromium SSL

107 unit tests that use `net/base/ssl_test_util.cc` to set up their servers always	25 unit tests that use `net/base/ssl_test_util.cc` to set up their servers always

108 use port 9443 with `net/data/ssl/certificates/ok_cert.pem`, and port 9666 with	26 use port 9443 with `net/data/ssl/certificates/ok_cert.pem`, and port 9666 with

109 `net/data/ssl/certificates/expired_cert.pem` This makes it easy to configure	27 `net/data/ssl/certificates/expired_cert.pem` This makes it easy to configure

110 Wireshark to decode the traffic: do	28 Wireshark to decode the traffic: do

111	29

112 Edit / Preferences / Protocols / SSL, and in the "RSA Keys List" box, enter	30 Edit / Preferences / Protocols / SSL, and in the "RSA Keys List" box, enter

113	31

114 127.0.0.1,9443,http,<path to ok_cert.pem>;127.0.0.1,9666,http,<path to expir ed_cert.pem>	32 127.0.0.1,9443,http,<path to ok_cert.pem>;127.0.0.1,9666,http,<path to expir ed_cert.pem>

115	33

116 e.g.	34 e.g.

117	35

118 127.0.0.1,9443,http,/home/dank/chromium/src/net/data/ssl/certificates/ok_cer t.pem;127.0.0.1,9666,http,/home/dank/chromium/src/net/data/ssl/certificates/expi red_cert.pem	36 127.0.0.1,9443,http,/home/dank/chromium/src/net/data/ssl/certificates/ok_cer t.pem;127.0.0.1,9666,http,/home/dank/chromium/src/net/data/ssl/certificates/expi red_cert.pem

119	37

120 Then capture all tcp traffic on interface lo, and run your test.	38 Then capture all tcp traffic on interface lo, and run your test.

121

122 ## Valgrinding NSS

123

124 Read https://developer.mozilla.org/en/NSS_Memory_allocation and do

125

126 export NSS_DISABLE_ARENA_FREE_LIST=1

127

128 before valgrinding if you want to find where a block was originally allocated.

129

130 If you get unsymbolized entries in NSS backtraces, try setting:

131

132 export NSS_DISABLE_UNLOAD=1

133

134 (Note that if you use the Chromium valgrind scripts like

135 `tools/valgrind/chrome_tests.sh` or `tools/valgrind/valgrind.sh` these will both

136 be set automatically.)

137

138 ## Support forums

139

140 If you have nonconfidential questions about NSS, check

141 [the newsgroup](http://groups.google.com/group/mozilla.dev.tech.crypto).

142 The NSS maintainer monitors that group and gives good answers.

OLD	NEW

« no previous file with comments | « no previous file | tools/valgrind/drmemory/suppressions_full.txt » ('j') | no next file with comments »