OpenSSL HOWTO

OpenSSL has two parts: libssl (handling TLS connections) and libcrypto (containing high-level and low-level cryptographic APIs).

Using the Cryptosense OpenSSL tracers, it is possible to intercept calls made from an application to one of these dynamic libraries. This relies on the LD_PRELOAD mechanism of the dynamic linker in Linux. Cryptographic calls are interpreted, they are forwarded to the usual OpenSSL library (so, results are identical), and the parameters of these calls are stored in a trace file.

For example, the openssl command line tool uses libcrypto. To obtain traces corresponding to the execution of a command, the LD_PRELOAD environment variable needs to be set to the path of the tracer. For example, in an interactive shell session:

    $ export LD_PRELOAD=/path/to/evp_tracer.so
    $ echo test | openssl enc -aes-256-cbc -k secret -base64
    U2FsdGVkX198ngJ8NyTPBUoh+yo+tHGErViNw4ZSfJs=

This creates a trace file under /tmp, named cryptosense-evp-PID.cst where PID is the Process ID.

It is possible to configure where traces are stored using the CS_TRACE_DIR environment variable:

    $ export LD_PRELOAD=/path/to/evp_tracer.so
    $ mkdir cs-traces
    $ export CS_TRACE_DIR=cs-traces
    $ echo test | openssl enc -aes-256-cbc -k secret -base64
    U2FsdGVkX18hVdVJYKcULBEychnWY74IronRe/tA/Sg=
    $ ls cs-traces
    cryptosense-evp-377.cst

Typically, commands invoking openssl are not directly run in a shell, but in an init script or similar. It is then necessary to locate and modify this script to include the environment variables.

Since every program has its own PID, it is possible that a large number of trace files are created. However, it is possible to concatenate these files together before submitting them to the Cryptosense Analyzer web application:

    $ ls cs-traces
    cryptosense-evp-702.cst   cryptosense-evp-767.cst
    cryptosense-evp-809.cst   cryptosense-evp-894.cst
    cryptosense-evp-745.cst   cryptosense-evp-788.cst
    cryptosense-evp-851.cst   cryptosense-evp-931.cst
    $ cat cryptosense-evp-*.cst > cryptosense-evp-joined.cst
    # When prompted for a file to upload, use cryptosense-evp-joined.cst

Try a Free 14-day Trial

Cryptosense Analyzer audits your applications and infrastructure to find vulnerabilities and understand your crypto landscape. Use it to optimise bug-fix resources and demonstrate compliance.