Google Git
Sign in
chromium / chromium / src / 4e110b64d13083871da08496d0fbc389c7a76153 / . / docs / linux_debugging_ssl.md
blob: 6edb97610acb9782c190d5a1596054180a5fd6bd [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:44[diff] [blame]1# Debuggin SSL on Linux
andybons3322f762015-08-24 21:37:09[diff] [blame]2
3To help anyone looking at the SSL code, here are a few tips I've found handy.
4
andybonsad92aa32015-08-31 02:27:44[diff] [blame]5[TOC]
andybons3322f762015-08-24 21:37:09[diff] [blame]6
andybonsad92aa32015-08-31 02:27:44[diff] [blame]7## Building your own NSS
8
9In order to use a debugger with the NSS library, it helps to build NSS yourself.
10Here's how I did it:
andybons3322f762015-08-24 21:37:09[diff] [blame]11
12First, read
nodira6074d4c2015-09-01 04:26:45[diff] [blame]13[Network Security Services](http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html)
andybons3322f762015-08-24 21:37:09[diff] [blame]14and/or
nodira6074d4c2015-09-01 04:26:45[diff] [blame]15[Build instructions](https://developer.mozilla.org/En/NSS_reference/Building_and_installing_NSS/Build_instructions).
andybons3322f762015-08-24 21:37:09[diff] [blame]16
17Then, to build the most recent source tarball:
andybonsad92aa32015-08-31 02:27:44[diff] [blame]18
19```shell
20cd $HOME
21wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/nss-3.12-with-nspr-4.7.tar.gz
22tar -xzvf nss-3.12-with-nspr-4.7.tar.gz
23cd nss-3.12/
24cd mozilla/security/nss/
25make nss_build_all
andybons3322f762015-08-24 21:37:09[diff] [blame]26```
27
andybonsad92aa32015-08-31 02:27:44[diff] [blame]28Sadly, the latest release, 3.12.2, isn't available as a tarball, so you have to
29build it from cvs:
30
31```shell
32cd $HOME
33mkdir nss-3.12.2
34cd nss-3.12.2
35export CVSROOT=:pserver:[email protected]:/cvsroot
36cvs login
37cvs co -r NSPR_4_7_RTM NSPR
38cvs co -r NSS_3_12_2_RTM NSS
39cd mozilla/security/nss/
40make nss_build_all
andybons3322f762015-08-24 21:37:09[diff] [blame]41```
42
andybonsad92aa32015-08-31 02:27:44[diff] [blame]43## Linking against your own NSS
andybons3322f762015-08-24 21:37:09[diff] [blame]44
45Sadly, I don't know of a nice way to do this; I always do
andybonsad92aa32015-08-31 02:27:44[diff] [blame]46
47 hammer --verbose net > log 2>&1
48
andybons3322f762015-08-24 21:37:09[diff] [blame]49then grab the line that links my app and put it into a shell script link.sh,
50and edit it to include the line
andybons3322f762015-08-24 21:37:09[diff] [blame]51
andybonsad92aa32015-08-31 02:27:44[diff] [blame]52 DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib
andybons3322f762015-08-24 21:37:09[diff] [blame]53
andybonsad92aa32015-08-31 02:27:44[diff] [blame]54and insert a `-L$DIR` right before the `-lnss3`.
55
56Note that hammer often builds the app in one, deeply buried, place, then copies
57it into Hammer for ease of use. You'll probably want to make your `link.sh` do
58the same thing.
59
60Then, after a source code change, do the usual `hammer net` followed by
61`sh link.sh`.
andybons3322f762015-08-24 21:37:09[diff] [blame]62
63Then, to run the resulting app, use a script like
64
andybonsad92aa32015-08-31 02:27:44[diff] [blame]65## Running against your own NSS
66
67Create a script named `run.sh` like this:
68
69```sh
andybons3322f762015-08-24 21:37:09[diff] [blame]70#!/bin/sh
71set -x
72DIR=$HOME/nss-3.12.2/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib
73export LD_LIBRARY_PATH=$DIR
74"$@"
75```
76
77Then run your app with
andybonsad92aa32015-08-31 02:27:44[diff] [blame]78
79 sh run.sh Hammer/foo
andybons3322f762015-08-24 21:37:09[diff] [blame]80
81Or, to debug it, do
andybons3322f762015-08-24 21:37:09[diff] [blame]82
andybonsad92aa32015-08-31 02:27:44[diff] [blame]83 sh run.sh gdb Hammer/foo
84
85## Logging
andybons3322f762015-08-24 21:37:09[diff] [blame]86
87There are several flavors of logging you can turn on.
88
andybonsad92aa32015-08-31 02:27:44[diff] [blame]89* `SSLClientSocketNSS` can log its state transitions and function calls using
90 `base/logging.cc`. To enable this, edit `net/base/ssl_client_socket_nss.cc`
91 and change `#if 1` to `#if 0`. See `base/logging.cc` for where the output
92 goes (on Linux, it's usually stderr).
andybons3322f762015-08-24 21:37:09[diff] [blame]93
andybonsad92aa32015-08-31 02:27:44[diff] [blame]94* `HttpNetworkTransaction` and friends can log its state transitions using
95 `base/trace_event.cc`. To enable this, arrange for your app to call
96 `base::TraceLog::StartTracing()`. The output goes to a file named
97 `trace...pid.log` in the same directory as the executable (e.g.
98 `Hammer/trace_15323.log`).
andybons3322f762015-08-24 21:37:09[diff] [blame]99
andybonsad92aa32015-08-31 02:27:44[diff] [blame]100* `NSS` itself can log some events. To enable this, set the environment
101 variables `SSLDEBUGFILE=foo.log SSLTRACE=99 SSLDEBUG=99` before running
102 your app.
andybons3322f762015-08-24 21:37:09[diff] [blame]103
andybonsad92aa32015-08-31 02:27:44[diff] [blame]104## Network Traces
andybons3322f762015-08-24 21:37:09[diff] [blame]105
andybonsad92aa32015-08-31 02:27:44[diff] [blame]106http://wiki.wireshark.org/SSL describes how to decode SSL traffic. Chromium SSL
107unit tests that use `net/base/ssl_test_util.cc` to set up their servers always
108use port 9443 with `net/data/ssl/certificates/ok_cert.pem`, and port 9666 with
109`net/data/ssl/certificates/expired_cert.pem` This makes it easy to configure
110Wireshark to decode the traffic: do
111
andybons3322f762015-08-24 21:37:09[diff] [blame]112Edit / Preferences / Protocols / SSL, and in the "RSA Keys List" box, enter
andybonsad92aa32015-08-31 02:27:44[diff] [blame]113
114 127.0.0.1,9443,http,<path to ok_cert.pem>;127.0.0.1,9666,http,<path to expired_cert.pem>
115
andybons3322f762015-08-24 21:37:09[diff] [blame]116e.g.
andybonsad92aa32015-08-31 02:27:44[diff] [blame]117
118 127.0.0.1,9443,http,/home/dank/chromium/src/net/data/ssl/certificates/ok_cert.pem;127.0.0.1,9666,http,/home/dank/chromium/src/net/data/ssl/certificates/expired_cert.pem
119
andybons3322f762015-08-24 21:37:09[diff] [blame]120Then capture all tcp traffic on interface lo, and run your test.
121
andybonsad92aa32015-08-31 02:27:44[diff] [blame]122## Valgrinding NSS
andybons3322f762015-08-24 21:37:09[diff] [blame]123
124Read https://developer.mozilla.org/en/NSS_Memory_allocation and do
andybonsad92aa32015-08-31 02:27:44[diff] [blame]125
126 export NSS_DISABLE_ARENA_FREE_LIST=1
127
128before valgrinding if you want to find where a block was originally allocated.
andybons3322f762015-08-24 21:37:09[diff] [blame]129
130If you get unsymbolized entries in NSS backtraces, try setting:
andybons3322f762015-08-24 21:37:09[diff] [blame]131
andybonsad92aa32015-08-31 02:27:44[diff] [blame]132 export NSS_DISABLE_UNLOAD=1
andybons3322f762015-08-24 21:37:09[diff] [blame]133
andybonsad92aa32015-08-31 02:27:44[diff] [blame]134(Note that if you use the Chromium valgrind scripts like
135`tools/valgrind/chrome_tests.sh` or `tools/valgrind/valgrind.sh` these will both
136be set automatically.)
137
138## Support forums
andybons3322f762015-08-24 21:37:09[diff] [blame]139
nodira6074d4c2015-09-01 04:26:45[diff] [blame]140If you have nonconfidential questions about NSS, check
141[the newsgroup](http://groups.google.com/group/mozilla.dev.tech.crypto).
142The NSS maintainer monitors that group and gives good answers.