Skip to content

fix: keylog lost in openssl #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 20, 2025
Merged

fix: keylog lost in openssl #802

merged 1 commit into from
Jun 20, 2025

Conversation

yuweizzz
Copy link
Contributor

fix: keylog lost in openssl.

Before:

./ecapture tls -m keylog --libssl=/usr/local/openresty/openssl111/lib/libssl.so
2025-06-20T09:54:07+08:00 INF AppName="eCapture(旁观者)"
2025-06-20T09:54:07+08:00 INF HomePage=https://ecapture.cc
2025-06-20T09:54:07+08:00 INF Repository=https://github.com/gojue/ecapture
2025-06-20T09:54:07+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-06-20T09:54:07+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-06-20T09:54:07+08:00 INF Version=linux_amd64:-20250618-9cd91ad:6.1.0-22-amd64
2025-06-20T09:54:07+08:00 INF Listen=localhost:28256
2025-06-20T09:54:07+08:00 INF eCapture running logs logger=
2025-06-20T09:54:07+08:00 INF the file handler that receives the captured event eventCollector=
2025-06-20T09:54:07+08:00 INF Kernel Info=6.1.0 Pid=3982120
2025-06-20T09:54:07+08:00 INF TruncateSize=0 Unit=bytes
2025-06-20T09:54:07+08:00 INF listen=localhost:28256
2025-06-20T09:54:07+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-06-20T09:54:07+08:00 INF BTF bytecode mode: CORE. btfMode=0
2025-06-20T09:54:07+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.log
2025-06-20T09:54:07+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-20T09:54:07+08:00 INF Module.Run()
2025-06-20T09:54:07+08:00 INF origin versionKey="openssl 1.1.1w" versionKeyLower="openssl 1.1.1w"
2025-06-20T09:54:07+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1w"
2025-06-20T09:54:07+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/local/openresty/openssl111/lib/libssl.so masterHookFuncs=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2025-06-20T09:54:07+08:00 INF target all process.
2025-06-20T09:54:07+08:00 INF target all users.
2025-06-20T09:54:07+08:00 INF setupManagers eBPFProgramType=KeyLog
2025-06-20T09:54:07+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1j_kern_core.o
2025-06-20T09:54:07+08:00 INF perfEventReader created mapSize(MB)=4
2025-06-20T09:54:07+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-20T09:54:08+08:00 INF non-TLSv1.3 cipher suite found CLientRandom=f1e67d7d52f8df60fca8e428432849a6a50cbbab843509438aa9f97d690b0f86 CipherId=0
2025-06-20T09:54:08+08:00 INF non-TLSv1.3 cipher suite found CLientRandom=f1e67d7d52f8df60fca8e428432849a6a50cbbab843509438aa9f97d690b0f86 CipherId=0
^C2025-06-20T09:54:24+08:00 INF Module closed,message Received from Context
2025-06-20T09:54:24+08:00 INF module close.
2025-06-20T09:54:25+08:00 INF iModule module close
2025-06-20T09:54:25+08:00 INF bye bye.

After:

./ecapture tls -m keylog --libssl=/usr/local/openresty/openssl111/lib/libssl.so
2025-06-20T09:56:30+08:00 INF AppName="eCapture(旁观者)"
2025-06-20T09:56:30+08:00 INF HomePage=https://ecapture.cc
2025-06-20T09:56:30+08:00 INF Repository=https://github.com/gojue/ecapture
2025-06-20T09:56:30+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-06-20T09:56:30+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-06-20T09:56:30+08:00 INF Version=linux_amd64:-20250618-9cd91ad:6.1.0-22-amd64
2025-06-20T09:56:30+08:00 INF Listen=localhost:28256
2025-06-20T09:56:30+08:00 INF eCapture running logs logger=
2025-06-20T09:56:30+08:00 INF the file handler that receives the captured event eventCollector=
2025-06-20T09:56:30+08:00 INF Kernel Info=6.1.0 Pid=3982615
2025-06-20T09:56:30+08:00 INF TruncateSize=0 Unit=bytes
2025-06-20T09:56:30+08:00 INF BTF bytecode mode: CORE. btfMode=0
2025-06-20T09:56:30+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.log
2025-06-20T09:56:30+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-20T09:56:30+08:00 INF Module.Run()
2025-06-20T09:56:30+08:00 INF origin versionKey="openssl 1.1.1w" versionKeyLower="openssl 1.1.1w"
2025-06-20T09:56:30+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1w"
2025-06-20T09:56:30+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/local/openresty/openssl111/lib/libssl.so masterHookFuncs=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2025-06-20T09:56:30+08:00 INF target all process.
2025-06-20T09:56:30+08:00 INF target all users.
2025-06-20T09:56:30+08:00 INF setupManagers eBPFProgramType=KeyLog
2025-06-20T09:56:30+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1j_kern_core.o
2025-06-20T09:56:30+08:00 INF listen=localhost:28256
2025-06-20T09:56:30+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-06-20T09:56:30+08:00 INF perfEventReader created mapSize(MB)=4
2025-06-20T09:56:30+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-20T09:56:39+08:00 INF non-TLSv1.3 cipher suite found CLientRandom=6fba09c4601e2d749ef3089e3c4a0fd21fb86fe0d4c3dd41e50330da74e40828 CipherId=0
2025-06-20T09:56:39+08:00 INF non-TLSv1.3 cipher suite found CLientRandom=6fba09c4601e2d749ef3089e3c4a0fd21fb86fe0d4c3dd41e50330da74e40828 CipherId=0
2025-06-20T09:56:40+08:00 INF CLIENT_RANDOM save success CLientRandom=6fba09c4601e2d749ef3089e3c4a0fd21fb86fe0d4c3dd41e50330da74e40828 TlsVersion=TLS1_3_VERSION bytes=1128 eBPFProgramType=KeyLog
^C2025-06-20T09:56:44+08:00 INF module close.
2025-06-20T09:56:44+08:00 INF Module closed,message Received from Context
2025-06-20T09:56:44+08:00 INF iModule module close
2025-06-20T09:56:44+08:00 INF bye bye.

@dosubot dosubot bot added size:XS This PR changes 0-9 lines, ignoring generated files. 🐞 bug Something isn't working labels Jun 20, 2025
cfc4n
cfc4n approved these changes Jun 20, 2025
View reviewed changes
Copy link
Member

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jun 20, 2025
@cfc4n cfc4n merged commit dbc9725 into gojue:master Jun 20, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfc4n cfc4n cfc4n approved these changes

Assignees
No one assigned
Labels
🐞 bug Something isn't working lgtm This PR has been approved by a maintainer size:XS This PR changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yuweizzz @cfc4n