docs/linux_debugging_ssl.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

# Debuggin SSL on Linux

To help anyone looking at the SSL code, here are a few tips I've found handy.

[TOC]

## Building your own NSS

In order to use a debugger with the NSS library, it helps to build NSS yourself.
Here's how I did it:

First, read
[Network Security Services](http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html)
and/or
[Build instructions](https://developer.mozilla.org/En/NSS_reference/Building_and_installing_NSS/Build_instructions).

Then, to build the most recent source tarball:

```shell
cd $HOME
wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/nss-3.12-with-nspr-4.7.tar.gz
tar -xzvf nss-3.12-with-nspr-4.7.tar.gz
cd nss-3.12/
cd mozilla/security/nss/
make nss_build_all
```

Sadly, the latest release, 3.12.2, isn't available as a tarball, so you have to
build it from cvs:

```shell
cd $HOME
mkdir nss-3.12.2
cd nss-3.12.2
export CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot
cvs login
cvs co -r NSPR_4_7_RTM NSPR
cvs co -r NSS_3_12_2_RTM NSS
cd mozilla/security/nss/
make nss_build_all
```

## Linking against your own NSS

Sadly, I don't know of a nice way to do this; I always do

    hammer --verbose net > log 2>&1

then grab the line that links my app and put it into a shell script link.sh,
and edit it to include the line

    DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib

and insert a `-L$DIR` right before the `-lnss3`.

Note that hammer often builds the app in one, deeply buried, place, then copies
it into Hammer for ease of use. You'll probably want to make your `link.sh` do
the same thing.

Then, after a source code change, do the usual `hammer net` followed by
`sh link.sh`.

Then, to run the resulting app, use a script like

## Running against your own NSS

Create a script named `run.sh` like this:

```sh
#!/bin/sh
set -x
DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib
export LD_LIBRARY_PATH=$DIR
"$@"
```

Then run your app with

    sh run.sh Hammer/foo

Or, to debug it, do

    sh run.sh gdb Hammer/foo

## Logging

There are several flavors of logging you can turn on.

*   `SSLClientSocketNSS` can log its state transitions and function calls using
    `base/logging.cc`.  To enable this, edit `net/base/ssl_client_socket_nss.cc`
    and change `#if 1` to `#if 0`. See `base/logging.cc` for where the output
    goes (on Linux, it's usually stderr).

*   `HttpNetworkTransaction` and friends can log its state transitions using
    `base/trace_event.cc`. To enable this, arrange for your app to call
    `base::TraceLog::StartTracing()`. The output goes to a file named
    `trace...pid.log` in the same directory as the executable (e.g.
    `Hammer/trace_15323.log`).

*   `NSS` itself can log some events. To enable this, set the environment
    variables `SSLDEBUGFILE=foo.log SSLTRACE=99 SSLDEBUG=99` before running
    your app.

## Network Traces

http://wiki.wireshark.org/SSL describes how to decode SSL traffic. Chromium SSL
unit tests that use `net/base/ssl_test_util.cc` to set up their servers always
use port 9443 with `net/data/ssl/certificates/ok_cert.pem`, and port 9666 with
`net/data/ssl/certificates/expired_cert.pem` This makes it easy to configure
Wireshark to decode the traffic: do

Edit / Preferences / Protocols / SSL, and in the "RSA Keys List" box, enter

    127.0.0.1,9443,http,<path to ok_cert.pem>;127.0.0.1,9666,http,<path to expired_cert.pem>

e.g.

    127.0.0.1,9443,http,/home/dank/chromium/src/net/data/ssl/certificates/ok_cert.pem;127.0.0.1,9666,http,/home/dank/chromium/src/net/data/ssl/certificates/expired_cert.pem

Then capture all tcp traffic on interface lo, and run your test.

## Valgrinding NSS

Read https://developer.mozilla.org/en/NSS_Memory_allocation and do

    export NSS_DISABLE_ARENA_FREE_LIST=1

before valgrinding if you want to find where a block was originally allocated.

If you get unsymbolized entries in NSS backtraces, try setting:

    export NSS_DISABLE_UNLOAD=1

(Note that if you use the Chromium valgrind scripts like
`tools/valgrind/chrome_tests.sh` or `tools/valgrind/valgrind.sh` these will both
be set automatically.)

## Support forums

If you have nonconfidential questions about NSS, check
[the newsgroup](http://groups.google.com/group/mozilla.dev.tech.crypto).
The NSS maintainer monitors that group and gives good answers.