Getting Started with the OpenSSL Tracer
On this page we will show you how to use the Cryptosense OpenSSL Tracer to obtain a cryptography trace from an application.
Prerequisites
Before you use the OpenSSL Tracer, make sure you have followed the installation instructions.
You will also need an application that uses the OpenSSL libraries that you know how to run from a terminal.
Tracing the application
OpenSSL has two parts: libssl
(handling TLS connections) and libcrypto
(containing
high-level and low-level cryptographic APIs). Cryptosense provides two different
components to handle both cases: libssl_tracer.so
deals with the libssl
part, and
evp_tracer.so
deals with the libcrypto
part.
Using the Cryptosense OpenSSL tracer, it is possible to intercept calls made from an
application to one of these dynamic libraries. This relies on the LD_PRELOAD
mechanism
of the dynamic linker in Linux. Cryptographic calls are interpreted, they are forwarded to
the usual OpenSSL library (so, results are identical), and the parameters of these calls
are stored in a trace file.
If you want to trace the libcrypto part of a foo
program, you would run the foo
program using a command that looks like:
$ LD_PRELOAD=/path/to/evp_tracer.so foo
This will create a trace file under /tmp
, named cs-trace-evp-PID_TIMESTAMP.cst
where
PID
is the process ID of the foo
program, and TIMESTAMP
is the UTC date and time
when the foo
program was traced.
Similarly, if you want to trace the libssl
part of a foo
program, you would run the
foo
program with a command that looks like:
$ LD_PRELOAD=/path/to/libssl_tracer.so foo
This will create a trace file under /tmp
, named cs-trace-libssl-PID_TIMESTAMP.cst
.
These trace files are ready for
uploading to the Cryptosense
Analyzer Platform. The directory where the OpenSSL tracer write the traces defaults to
/tmp
but can be configured with the CS_TRACE_DIR
environment variable. See
the manual to learn about all available configuration options
and how to use them.