OpenSSL Tracer getting started
On this page we will show you how to use the SandboxAQ Security Suite OpenSSL Tracer to obtain a cryptography trace from an application.
Prerequisites
Before you use the OpenSSL Tracer, make sure you have followed the installation instructions.
You will also need an application that uses the OpenSSL libraries that you know how to run from a terminal.
Tracing the application
OpenSSL has two parts: libssl (handling TLS connections) and libcrypto (containing
high-level and low-level cryptographic APIs). SandboxAQ Security Suite provides two
different components to handle both cases: libssl_tracer.so deals with the libssl
part, and evp_tracer.so deals with the libcrypto part.
Using the SandboxAQ Security Suite OpenSSL tracer, it is possible to intercept calls made
from an application to one of these dynamic libraries. This relies on the LD_PRELOAD
mechanism of the dynamic linker in Linux. Cryptographic calls are interpreted, they are
forwarded to the usual OpenSSL library (so, results are identical), and the parameters of
these calls are stored in a trace file.
If you want to trace the libcrypto part of a foo program, you would run the foo
program using a command that looks like:
This will create a trace file under /tmp, named cs-trace-evp-PID_TIMESTAMP.cst where
PID is the process ID of the foo program, and TIMESTAMP is the UTC date and time
when the foo program was traced.
Similarly, if you want to trace the libssl part of a foo program, you would run the
foo program with a command that looks like:
This will create a trace file under /tmp, named cs-trace-libssl-PID_TIMESTAMP.cst. The directory where the OpenSSL tracer writes the traces can be configured using the CS_TRACE_DIR environment variable.
Refer to the API Client manual for instructions for uploading a trace.
See Configuration in the OpenSSL Tracer reference manual for a list of all available parameters and how to use them.