Getting Started with the OpenSSL Tracer

On this page we will show you how to use the Cryptosense OpenSSL Tracer to obtain a cryptography trace from an application.

Prerequisites

Before you use the OpenSSL Tracer, make sure you have followed the installation instructions.

You will also need an application that uses the OpenSSL libraries that you know how to run from a terminal.

Tracing the application

OpenSSL has two parts: libssl (handling TLS connections) and libcrypto (containing high-level and low-level cryptographic APIs). Cryptosense provides two different components to handle both cases: libssl_tracer.so deals with the libssl part, and evp_tracer.so deals with the libcrypto part.

Using the Cryptosense OpenSSL tracer, it is possible to intercept calls made from an application to one of these dynamic libraries. This relies on the LD_PRELOAD mechanism of the dynamic linker in Linux. Cryptographic calls are interpreted, they are forwarded to the usual OpenSSL library (so, results are identical), and the parameters of these calls are stored in a trace file.

If you want to trace the libcrypto part of a foo program, you would run the foo program using a command that looks like:

$ LD_PRELOAD=/path/to/evp_tracer.so foo

This will create a trace file under /tmp, named cs-trace-evp-PID_TIMESTAMP.cst where PID is the process ID of the foo program, and TIMESTAMP is the UTC date and time when the foo program was traced.

Similarly, if you want to trace the libssl part of a foo program, you would run the foo program with a command that looks like:

$ LD_PRELOAD=/path/to/libssl_tracer.so foo

This will create a trace file under /tmp, named cs-trace-libssl-PID_TIMESTAMP.cst.

These trace files are ready for uploading to the Cryptosense Analyzer Platform. The directory where the OpenSSL tracer write the traces defaults to /tmp but can be configured with the CS_TRACE_DIR environment variable. See the manual to learn about all available configuration options and how to use them.