How to re-enable key logging to $SSLKEYLOGFILE Topic is solved

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Locked
miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

How to re-enable key logging to $SSLKEYLOGFILE

Unread post by miroR » 2017-03-09, 20:47

I see the bleeding edge Palemoon (that I installed yesterday) now uses nss-3.28.3 (if I remember correctly, can't have it open, can't use it, because it's not logging the SSL keys, I have to browse with Firefox till I do it...)
How can the logging to $SSLKEYLOGFILE be re-enabled again in Palemoon.

This is where the patch below lives:

Code: Select all

# ls -lRa /etc/portage/patches/www-client/palemoon-27.2.0-r1/
/etc/portage/patches/www-client/palemoon-27.2.0-r1/:
total 12
drwxr-xr-x 2 portage portage 4096 2017-03-08 22:33 .
drwxr-xr-x 7 portage portage 4096 2017-03-08 22:32 ..
-rw-r--r-- 1 portage portage 1133 2017-03-08 22:31 allow-sslkeylogfile.patch
#
And this is the patch:

# cat allow-sslkeylogfile.patch

Code: Select all

From ab620b30019aed0f04635c057ab9b9a2cb3ef2cf Mon Sep 17 00:00:00 2001
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
Date: Wed, 8 Mar 2017 22:29:58 +0100
Subject: [PATCH] patched

---
 security/nss/lib/ssl/Makefile | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
index 24fccc5..bdea353 100644
--- a/security/nss/lib/ssl/Makefile
+++ b/security/nss/lib/ssl/Makefile
@@ -40,11 +40,12 @@ endif
 endif
 
 # Enable key logging by default in debug builds, but not opt builds.
+# ( by commenting it out, it will be enabled in opt builds too )
 # Logging still needs to be enabled at runtime through env vars.
-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
-ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
-DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
-endif
+#NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
+#ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
+#DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
+#endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
-- 
2.12.0
However, the commenting out, as I wrote in the patch, doesn't make it that SSLKEYLOG'ing "be enabled in opt builds too".

I tried, that user patch (probably typical of Gentoo only, not other Linuces, or?) [that user patch] gets applied when expected (at "source prepare" time --see the ebuild below), and the Makefile, exactly as expected, does look like this:

Code: Select all

#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY).   #
#######################################################################

include manifest.mn

#######################################################################
# (2) Include "global" configuration information. (OPTIONAL)          #
#######################################################################

include $(CORE_DEPTH)/coreconf/config.mk

#######################################################################
# (3) Include "component" configuration information. (OPTIONAL)       #
######################################################################
#


#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
#######################################################################

include config.mk

ifeq (,$(filter-out WIN%,$(OS_TARGET)))
CSRCS	+= win32err.c
DEFINES += -DIN_LIBSSL
else
ifeq ($(OS_TARGET),OS2)
CSRCS	+= os2_err.c
else
CSRCS	+= unix_err.c
endif
endif

# Enable key logging by default in debug builds, but not opt builds.
# ( by commenting it out, it will be enabled in opt builds too )
# Logging still needs to be enabled at runtime through env vars.
#NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
#ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
#DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
#endif

#######################################################################
# (5) Execute "global" rules. (OPTIONAL)                              #
#######################################################################

include $(CORE_DEPTH)/coreconf/rules.mk

#######################################################################
# (6) Execute "component" rules. (OPTIONAL)                           #
#######################################################################



#######################################################################
# (7) Execute "local" rules. (OPTIONAL).                              #
#######################################################################

export:: private_export
but my Palemoon does not record any SSL keys into my $SSLKEYLOGFILE ...

What is missing to get the recording of SSL keys back?
(
I have to use Firefox, where a similar patch that I applied --about which I reported in
Tracking protection and NSS SSL secrets logging (two security questions)?
viewtopic.php?f=26&t=12544
where fine the Gentoo bug with m patch that works for Firefox, and that I'm using in this Firefox that I'm browsing with right now -- did the trick. I'd like to go back to using Palemoon again, but no way would I be happy if the network SSL conversations don't open for my, no way...
)

This ebuild is copy-and-modify the latest ebuild from https://github.com/deuiore/palemoon-overlay . Modified in such way as I tried to explain in:
https://github.com/deuiore/palemoon-overlay/pull/34

Here's the ebuild, that otherwise gets me a fully functional Palemoon (where find "eapply_user" to see where the above patch is applied):

Code: Select all

# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$

EAPI=6

REQUIRED_BUILDSPACE='7G'

# For mozlinguas:
MOZ_LANGS=( cs de es-AR es-ES es-MX fr hu it ja ko pl ru zh-CN )
MOZ_LANGPACK_PREFIX="langpacks/27.x/"
MOZ_FTP_URI="http://relmirror.palemoon.org"

inherit palemoon-1-r1 mozlinguas git-r3 eutils flag-o-matic pax-utils

KEYWORDS="~x86 ~amd64"
DESCRIPTION="Pale Moon Web Browser"
HOMEPAGE="https://www.palemoon.org/"

SLOT="0"
LICENSE="MPL-2.0 GPL-2 LGPL-2.1"
IUSE="+official-branding -system-libs +optimize shared-js jemalloc -valgrind
	dbus -necko-wifi +gtk2 -gtk3 +ffmpeg -gstreamer -webrtc
	alsa pulseaudio"

EGIT_REPO_URI="http://localhost/cgi-bin/cgit.cgi/Pale-Moon.git"
GIT_TAG="${PV}a1"

DEPEND="
	>=sys-devel/autoconf-2.13:2.1
	dev-lang/python:2.7
	>=dev-lang/perl-5.6
	dev-lang/yasm"

RDEPEND="
	x11-libs/libXt
	app-arch/zip
	media-libs/freetype
	media-libs/fontconfig

	system-libs? (
		dev-libs/libevent
		media-libs/libjpeg-turbo
		sys-libs/zlib
		app-arch/bzip2
		media-libs/libwebp
		media-libs/libpng[apng]
		app-text/hunspell
		>=media-libs/libvpx-1.4.0
		>=dev-db/sqlite-3.13.0[secure-delete]
		x11-libs/cairo
		x11-libs/pixman
	)

	optimize? ( sys-libs/glibc )

	valgrind? ( dev-util/valgrind )

	shared-js? ( virtual/libffi )

	dbus? (
		>=sys-apps/dbus-0.60
		>=dev-libs/dbus-glib-0.60
	)

	gtk2? ( >=x11-libs/gtk+-2.18.0:2 )
	gtk3? ( >=x11-libs/gtk+-3.4.0:3 )

	ffmpeg? (
		virtual/ffmpeg[x264]
	)

	gstreamer? (
		media-libs/gstreamer:1.0
		media-libs/gst-plugins-base:1.0
	)

	alsa? ( media-libs/alsa-lib )
	pulseaudio? ( media-sound/pulseaudio )

	necko-wifi? ( net-wireless/wireless-tools )"

REQUIRED_USE="
	jemalloc? ( !valgrind )
	^^ ( gtk2 gtk3 )
	^^ ( alsa pulseaudio )
	necko-wifi? ( dbus )"

src_unpack() {
	git-r3_fetch ${EGIT_REPO_URI} refs/heads/master
	git-r3_checkout

	# Unpack language packs:
	cd "${WORKDIR}"
	mozlinguas_src_unpack
}

src_prepare() {
	# Ensure that our plugins dir is enabled by default:
	sed -i -e "s:/usr/lib/mozilla/plugins:/usr/lib/nsbrowser/plugins:" \
		"${S}/xpcom/io/nsAppFileLocationProvider.cpp" \
		|| die "sed failed to replace plugin path for 32bit!"
	sed -i -e "s:/usr/lib64/mozilla/plugins:/usr/lib64/nsbrowser/plugins:" \
		"${S}/xpcom/io/nsAppFileLocationProvider.cpp" \
		|| die "sed failed to replace plugin path for 64bit!"

	# Allow users to apply any additional patches without modifing the ebuild:
	eapply_user
}

src_configure() {
	# Basic configuration:
	mozconfig_init

	mozconfig_disable updater

	if use system-libs; then
		mozconfig_with system-libevent system-jpeg system-zlib system-bz2 \
			system-webp system-png system-libvpx
		mozconfig_enable system-hunspell system-sqlite system-cairo \
			system-pixman
	fi

	if use optimize; then
		O=$(get-flag '-O*')
		mozconfig_enable optimize=\"$O\"
		filter-flags '-O*'
	else
		mozconfig_disable optimize
	fi

	if use shared-js; then
		mozconfig_enable shared-js
	fi

	if use jemalloc; then
		mozconfig_enable jemalloc jemalloc-lib
	fi

	if use valgrind; then
		mozconfig_enable valgrind
	else
		mozconfig_disable valgrind
	fi

	if ! use dbus; then
		mozconfig_disable dbus
	fi

	if ! use necko-wifi; then
		mozconfig_disable necko-wifi
	fi

	if use ffmpeg; then
		mozconfig_enable ffmpeg
	else
		mozconfig_disable ffmpeg
	fi

	if use gstreamer; then
		mozconfig_enable gstreamer
	else
		mozconfig_disable gstreamer
	fi

	if use webrtc; then
		mozconfig_enable webrtc
	else
		mozconfig_disable webrtc
	fi

	if   use alsa; then
		mozconfig_enable alsa
	fi

	if ! use pulseaudio; then
		mozconfig_disable pulseaudio
	fi

	if use official-branding; then
		official-branding_warning
		mozconfig_enable official-branding
	fi

	if use gtk2; then
		mozconfig_enable default-toolkit=\"cairo-gtk2\"
	fi

	if use gtk3; then
		mozconfig_enable default-toolkit=\"cairo-gtk3\"
	fi

	# Mainly to prevent system's NSS/NSPR from taking precedence over
	# the built-in ones:
	append-ldflags -Wl,-rpath="$EPREFIX/usr/$(get_libdir)/palemoon"

	export MOZBUILD_STATE_PATH="${WORKDIR}/mach_state"
	mozconfig_var PYTHON $(which python2)
	mozconfig_var AUTOCONF $(which autoconf-2.13)
	mozconfig_var MOZ_MAKE_FLAGS "${MAKEOPTS}"
	# Disable mach notifications, which also cause sandbox access violations:
	export MOZ_NOSPAM=1

	python2 mach # Run it once to create the state directory.
	python2 mach configure || die
}

src_compile() {
	python2 mach build || die
}

src_install() {
	# obj_dir changes depending on arch, compiler, etc:
	local obj_dir="$(echo */config.log)"
	obj_dir="${obj_dir%/*}"

	# Disable MPROTECT for startup cache creation:
	pax-mark m "${obj_dir}"/dist/bin/xpcshell

	load_default_prefs
	set_pref "spellchecker.dictionary_path" "${EPREFIX}/usr/share/myspell"

	# Gotta create the package, unpack it and manually install the files
	# from there not to miss anything (e.g. the statusbar extension):
	einfo "Creating the package..."
	python2 mach package || die
	local extracted_dir="${T}/package"
	mkdir -p "${extracted_dir}"
	cd "${extracted_dir}"
	einfo "Extracting the package..."
	tar xjpf "${S}/${obj_dir}/dist/${P}a1.linux-${CTARGET_default%%-*}.tar.bz2"
	einfo "Installing the package..."
	local dest_libdir="/usr/$(get_libdir)"
	mkdir -p "${D}/${dest_libdir}"
	cp -rL "${PN}" "${D}/${dest_libdir}"
	dosym "${dest_libdir}/${PN}/${PN}" "/usr/bin/${PN}"
	einfo "Done installing the package."

	# Until JIT-less builds are supported,
	# also disable MPROTECT on the main executable:
	pax-mark m "${D}/${dest_libdir}/${PN}/"{palemoon,palemoon-bin,plugin-container}

	# Install language packs:
	MOZILLA_FIVE_HOME="${dest_libdir}/${PN}/browser"
	mozlinguas_src_install

	# Install icons and .desktop for menu entry:
	cp -rL "${S}/${obj_dir}/dist/branding" "${extracted_dir}/"
	local size sizes icon_path icon name
	sizes="16 32 48"
	icon_path="${extracted_dir}/branding"
	icon="${PN}"
	name="Pale Moon"
	for size in ${sizes}; do
		insinto "/usr/share/icons/hicolor/${size}x${size}/apps"
		newins "${icon_path}/default${size}.png" "${icon}.png"
	done
	# The 128x128 icon has a different name:
	insinto "/usr/share/icons/hicolor/128x128/apps"
	newins "${icon_path}/mozicon128.png" "${icon}.png"
	# Install a 48x48 icon into /usr/share/pixmaps for legacy DEs:
	newicon "${icon_path}/default48.png" "${icon}.png"
	newmenu "${FILESDIR}/icon/${PN}.desktop" "${PN}.desktop"
	sed -i -e "s:@NAME@:${name}:" -e "s:@ICON@:${icon}:" \
		"${ED}/usr/share/applications/${PN}.desktop" || die
}
So what am I missing to get the SSL keys logging back?

Regards!
Top
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35600
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:
Contact Moonchild

Re: How to re-enable key logging to $SSLKEYLOGFILE

Unread post by Moonchild » 2017-03-09, 20:58

That patch looks wrong to begin with, since the define is never set when you comment the whole block out.

You'll want to leave the following line uncommented to set it always.

Code: Select all

DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
Doing that should enable it in the library, at which point code block http://xref.palemoon.org/palemoon-trunk/source/security/nss/lib/ssl/sslsock.c#3440 will kick in and allow logging.

Code: Select all

3440 #ifdef NSS_ALLOW_SSLKEYLOGFILE
3441         ev = PR_GetEnvSecure("SSLKEYLOGFILE");
3442         if (ev && ev[0]) {
3443             ssl_keylog_iob = fopen(ev, "a");
3444             if (!ssl_keylog_iob) {
3445                 SSL_TRACE(("SSL: failed to open key log file"));
3446             } else {
3447                 if (ftell(ssl_keylog_iob) == 0) {
3448                     fputs("# SSL/TLS secrets log file, generated by NSS\n",
3449                           ssl_keylog_iob);
3450                 }
3451                 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
3452             }
3453         }
3454 #endif
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Top
miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Re: How to re-enable key logging to $SSLKEYLOGFILE

Unread post by miroR » 2017-03-09, 21:25

Moonchild wrote:That patch looks wrong to begin with, since the define is never set when you comment the whole block out.

You'll want to leave the following line uncommented to set it always.

Code: Select all

DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
I justed wrongly modified it from the patch that I applied (and that has been working for months now!) in Firefox. You are right. In that patch the line you say was left... It's just old age (I'm 60)... I can do things, but I lose some on the way :?

But really thanks for giving more tips to me, and on such short notice! :)

I will study the below...
Moonchild wrote: Doing that should enable it in the library, at which point code block http://xref.palemoon.org/palemoon-trunk/source/security/nss/lib/ssl/sslsock.c#3440 will kick in and allow logging.

Code: Select all

3440 #ifdef NSS_ALLOW_SSLKEYLOGFILE
3441         ev = PR_GetEnvSecure("SSLKEYLOGFILE");
3442         if (ev && ev[0]) {
3443             ssl_keylog_iob = fopen(ev, "a");
3444             if (!ssl_keylog_iob) {
3445                 SSL_TRACE(("SSL: failed to open key log file"));
3446             } else {
3447                 if (ftell(ssl_keylog_iob) == 0) {
3448                     fputs("# SSL/TLS secrets log file, generated by NSS\n",
3449                           ssl_keylog_iob);
3450                 }
3451                 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
3452             }
3453         }
3454 #endif
Thanks a bunch!
Top
miroR
Fanatic
Fanatic
Posts: 116
Joined: 2016-05-31, 19:22

Re: How to re-enable key logging to $SSLKEYLOGFILE

Unread post by miroR » 2017-03-09, 22:20

It works, just with that detail that I lost on the way corrected.
So, if anybody out there decrypting traffic, this is the patch that works for me, and the rest is explained in the first post
(
and also it is what worked in Firefox (which I now shut and am back browsing with Palemoon :wave: ):
https://587116.bugs.gentoo.org/attachment.cgi?id=440042
linked from:
https://bugs.gentoo.org/show_bug.cgi?id=587116
)
This is the patch:

Code: Select all

From ab620b30019aed0f04635c057ab9b9a2cb3ef2cf Mon Sep 17 00:00:00 2001
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
Date: Wed, 8 Mar 2017 22:29:58 +0100
Subject: [PATCH] patched

---
 security/nss/lib/ssl/Makefile | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
index 24fccc5..bdea353 100644
--- a/security/nss/lib/ssl/Makefile
+++ b/security/nss/lib/ssl/Makefile
@@ -40,11 +40,12 @@ endif
 endif
 
 # Enable key logging by default in debug builds, but not opt builds.
+# ( by commenting out the condition, it will be enabled in opt builds too )
 # Logging still needs to be enabled at runtime through env vars.
-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
-ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
+#NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
+#ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
 DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
-endif
+#endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
-- 
2.12.0
My Palemoon is back to logging SSL keys into my $SSLKEYLOGFILE.
Regards!
Top
Locked

Return to “Browser Development”