How to re-enable key logging to $SSLKEYLOGFILE Topic is solved

The place to report Pale Moon specific bugs on Linux and other operating systems.

Moderator: satrow

miroR
Moon lover
Moon lover
Posts: 81
Joined: Tue, 31 May 2016, 19:22

How to re-enable key logging to $SSLKEYLOGFILE

Unread postby miroR » Thu, 09 Mar 2017, 20:47

I see the bleeding edge Palemoon (that I installed yesterday) now uses nss-3.28.3 (if I remember correctly, can't have it open, can't use it, because it's not logging the SSL keys, I have to browse with Firefox till I do it...)
How can the logging to $SSLKEYLOGFILE be re-enabled again in Palemoon.

This is where the patch below lives:

Code: Select all

# ls -lRa /etc/portage/patches/www-client/palemoon-27.2.0-r1/
/etc/portage/patches/www-client/palemoon-27.2.0-r1/:
total 12
drwxr-xr-x 2 portage portage 4096 2017-03-08 22:33 .
drwxr-xr-x 7 portage portage 4096 2017-03-08 22:32 ..
-rw-r--r-- 1 portage portage 1133 2017-03-08 22:31 allow-sslkeylogfile.patch
#


And this is the patch:

# cat allow-sslkeylogfile.patch

Code: Select all

From ab620b30019aed0f04635c057ab9b9a2cb3ef2cf Mon Sep 17 00:00:00 2001
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
Date: Wed, 8 Mar 2017 22:29:58 +0100
Subject: [PATCH] patched

---
 security/nss/lib/ssl/Makefile | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
index 24fccc5..bdea353 100644
--- a/security/nss/lib/ssl/Makefile
+++ b/security/nss/lib/ssl/Makefile
@@ -40,11 +40,12 @@ endif
 endif
 
 # Enable key logging by default in debug builds, but not opt builds.
+# ( by commenting it out, it will be enabled in opt builds too )
 # Logging still needs to be enabled at runtime through env vars.
-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
-ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
-DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
-endif
+#NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
+#ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
+#DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
+#endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
--
2.12.0


However, the commenting out, as I wrote in the patch, doesn't make it that SSLKEYLOG'ing "be enabled in opt builds too".

I tried, that user patch (probably typical of Gentoo only, not other Linuces, or?) [that user patch] gets applied when expected (at "source prepare" time --see the ebuild below), and the Makefile, exactly as expected, does look like this:

Code: Select all

#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY).   #
#######################################################################

include manifest.mn

#######################################################################
# (2) Include "global" configuration information. (OPTIONAL)          #
#######################################################################

include $(CORE_DEPTH)/coreconf/config.mk

#######################################################################
# (3) Include "component" configuration information. (OPTIONAL)       #
######################################################################
#


#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
#######################################################################

include config.mk

ifeq (,$(filter-out WIN%,$(OS_TARGET)))
CSRCS   += win32err.c
DEFINES += -DIN_LIBSSL
else
ifeq ($(OS_TARGET),OS2)
CSRCS   += os2_err.c
else
CSRCS   += unix_err.c
endif
endif

# Enable key logging by default in debug builds, but not opt builds.
# ( by commenting it out, it will be enabled in opt builds too )
# Logging still needs to be enabled at runtime through env vars.
#NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
#ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
#DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
#endif

#######################################################################
# (5) Execute "global" rules. (OPTIONAL)                              #
#######################################################################

include $(CORE_DEPTH)/coreconf/rules.mk

#######################################################################
# (6) Execute "component" rules. (OPTIONAL)                           #
#######################################################################



#######################################################################
# (7) Execute "local" rules. (OPTIONAL).                              #
#######################################################################

export:: private_export


but my Palemoon does not record any SSL keys into my $SSLKEYLOGFILE ...

What is missing to get the recording of SSL keys back?
(
I have to use Firefox, where a similar patch that I applied --about which I reported in
Tracking protection and NSS SSL secrets logging (two security questions)?
viewtopic.php?f=26&t=12544
where fine the Gentoo bug with m patch that works for Firefox, and that I'm using in this Firefox that I'm browsing with right now -- did the trick. I'd like to go back to using Palemoon again, but no way would I be happy if the network SSL conversations don't open for my, no way...
)

This ebuild is copy-and-modify the latest ebuild from https://github.com/deuiore/palemoon-overlay . Modified in such way as I tried to explain in:
https://github.com/deuiore/palemoon-overlay/pull/34

Here's the ebuild, that otherwise gets me a fully functional Palemoon (where find "eapply_user" to see where the above patch is applied):

Code: Select all

# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$

EAPI=6

REQUIRED_BUILDSPACE='7G'

# For mozlinguas:
MOZ_LANGS=( cs de es-AR es-ES es-MX fr hu it ja ko pl ru zh-CN )
MOZ_LANGPACK_PREFIX="langpacks/27.x/"
MOZ_FTP_URI="http://relmirror.palemoon.org"

inherit palemoon-1-r1 mozlinguas git-r3 eutils flag-o-matic pax-utils

KEYWORDS="~x86 ~amd64"
DESCRIPTION="Pale Moon Web Browser"
HOMEPAGE="https://www.palemoon.org/"

SLOT="0"
LICENSE="MPL-2.0 GPL-2 LGPL-2.1"
IUSE="+official-branding -system-libs +optimize shared-js jemalloc -valgrind
   dbus -necko-wifi +gtk2 -gtk3 +ffmpeg -gstreamer -webrtc
   alsa pulseaudio"

EGIT_REPO_URI="http://localhost/cgi-bin/cgit.cgi/Pale-Moon.git"
GIT_TAG="${PV}a1"

DEPEND="
   >=sys-devel/autoconf-2.13:2.1
   dev-lang/python:2.7
   >=dev-lang/perl-5.6
   dev-lang/yasm"

RDEPEND="
   x11-libs/libXt
   app-arch/zip
   media-libs/freetype
   media-libs/fontconfig

   system-libs? (
      dev-libs/libevent
      media-libs/libjpeg-turbo
      sys-libs/zlib
      app-arch/bzip2
      media-libs/libwebp
      media-libs/libpng[apng]
      app-text/hunspell
      >=media-libs/libvpx-1.4.0
      >=dev-db/sqlite-3.13.0[secure-delete]
      x11-libs/cairo
      x11-libs/pixman
   )

   optimize? ( sys-libs/glibc )

   valgrind? ( dev-util/valgrind )

   shared-js? ( virtual/libffi )

   dbus? (
      >=sys-apps/dbus-0.60
      >=dev-libs/dbus-glib-0.60
   )

   gtk2? ( >=x11-libs/gtk+-2.18.0:2 )
   gtk3? ( >=x11-libs/gtk+-3.4.0:3 )

   ffmpeg? (
      virtual/ffmpeg[x264]
   )

   gstreamer? (
      media-libs/gstreamer:1.0
      media-libs/gst-plugins-base:1.0
   )

   alsa? ( media-libs/alsa-lib )
   pulseaudio? ( media-sound/pulseaudio )

   necko-wifi? ( net-wireless/wireless-tools )"

REQUIRED_USE="
   jemalloc? ( !valgrind )
   ^^ ( gtk2 gtk3 )
   ^^ ( alsa pulseaudio )
   necko-wifi? ( dbus )"

src_unpack() {
   git-r3_fetch ${EGIT_REPO_URI} refs/heads/master
   git-r3_checkout

   # Unpack language packs:
   cd "${WORKDIR}"
   mozlinguas_src_unpack
}

src_prepare() {
   # Ensure that our plugins dir is enabled by default:
   sed -i -e "s:/usr/lib/mozilla/plugins:/usr/lib/nsbrowser/plugins:" \
      "${S}/xpcom/io/nsAppFileLocationProvider.cpp" \
      || die "sed failed to replace plugin path for 32bit!"
   sed -i -e "s:/usr/lib64/mozilla/plugins:/usr/lib64/nsbrowser/plugins:" \
      "${S}/xpcom/io/nsAppFileLocationProvider.cpp" \
      || die "sed failed to replace plugin path for 64bit!"

   # Allow users to apply any additional patches without modifing the ebuild:
   eapply_user
}

src_configure() {
   # Basic configuration:
   mozconfig_init

   mozconfig_disable updater

   if use system-libs; then
      mozconfig_with system-libevent system-jpeg system-zlib system-bz2 \
         system-webp system-png system-libvpx
      mozconfig_enable system-hunspell system-sqlite system-cairo \
         system-pixman
   fi

   if use optimize; then
      O=$(get-flag '-O*')
      mozconfig_enable optimize=\"$O\"
      filter-flags '-O*'
   else
      mozconfig_disable optimize
   fi

   if use shared-js; then
      mozconfig_enable shared-js
   fi

   if use jemalloc; then
      mozconfig_enable jemalloc jemalloc-lib
   fi

   if use valgrind; then
      mozconfig_enable valgrind
   else
      mozconfig_disable valgrind
   fi

   if ! use dbus; then
      mozconfig_disable dbus
   fi

   if ! use necko-wifi; then
      mozconfig_disable necko-wifi
   fi

   if use ffmpeg; then
      mozconfig_enable ffmpeg
   else
      mozconfig_disable ffmpeg
   fi

   if use gstreamer; then
      mozconfig_enable gstreamer
   else
      mozconfig_disable gstreamer
   fi

   if use webrtc; then
      mozconfig_enable webrtc
   else
      mozconfig_disable webrtc
   fi

   if   use alsa; then
      mozconfig_enable alsa
   fi

   if ! use pulseaudio; then
      mozconfig_disable pulseaudio
   fi

   if use official-branding; then
      official-branding_warning
      mozconfig_enable official-branding
   fi

   if use gtk2; then
      mozconfig_enable default-toolkit=\"cairo-gtk2\"
   fi

   if use gtk3; then
      mozconfig_enable default-toolkit=\"cairo-gtk3\"
   fi

   # Mainly to prevent system's NSS/NSPR from taking precedence over
   # the built-in ones:
   append-ldflags -Wl,-rpath="$EPREFIX/usr/$(get_libdir)/palemoon"

   export MOZBUILD_STATE_PATH="${WORKDIR}/mach_state"
   mozconfig_var PYTHON $(which python2)
   mozconfig_var AUTOCONF $(which autoconf-2.13)
   mozconfig_var MOZ_MAKE_FLAGS "${MAKEOPTS}"
   # Disable mach notifications, which also cause sandbox access violations:
   export MOZ_NOSPAM=1

   python2 mach # Run it once to create the state directory.
   python2 mach configure || die
}

src_compile() {
   python2 mach build || die
}

src_install() {
   # obj_dir changes depending on arch, compiler, etc:
   local obj_dir="$(echo */config.log)"
   obj_dir="${obj_dir%/*}"

   # Disable MPROTECT for startup cache creation:
   pax-mark m "${obj_dir}"/dist/bin/xpcshell

   load_default_prefs
   set_pref "spellchecker.dictionary_path" "${EPREFIX}/usr/share/myspell"

   # Gotta create the package, unpack it and manually install the files
   # from there not to miss anything (e.g. the statusbar extension):
   einfo "Creating the package..."
   python2 mach package || die
   local extracted_dir="${T}/package"
   mkdir -p "${extracted_dir}"
   cd "${extracted_dir}"
   einfo "Extracting the package..."
   tar xjpf "${S}/${obj_dir}/dist/${P}a1.linux-${CTARGET_default%%-*}.tar.bz2"
   einfo "Installing the package..."
   local dest_libdir="/usr/$(get_libdir)"
   mkdir -p "${D}/${dest_libdir}"
   cp -rL "${PN}" "${D}/${dest_libdir}"
   dosym "${dest_libdir}/${PN}/${PN}" "/usr/bin/${PN}"
   einfo "Done installing the package."

   # Until JIT-less builds are supported,
   # also disable MPROTECT on the main executable:
   pax-mark m "${D}/${dest_libdir}/${PN}/"{palemoon,palemoon-bin,plugin-container}

   # Install language packs:
   MOZILLA_FIVE_HOME="${dest_libdir}/${PN}/browser"
   mozlinguas_src_install

   # Install icons and .desktop for menu entry:
   cp -rL "${S}/${obj_dir}/dist/branding" "${extracted_dir}/"
   local size sizes icon_path icon name
   sizes="16 32 48"
   icon_path="${extracted_dir}/branding"
   icon="${PN}"
   name="Pale Moon"
   for size in ${sizes}; do
      insinto "/usr/share/icons/hicolor/${size}x${size}/apps"
      newins "${icon_path}/default${size}.png" "${icon}.png"
   done
   # The 128x128 icon has a different name:
   insinto "/usr/share/icons/hicolor/128x128/apps"
   newins "${icon_path}/mozicon128.png" "${icon}.png"
   # Install a 48x48 icon into /usr/share/pixmaps for legacy DEs:
   newicon "${icon_path}/default48.png" "${icon}.png"
   newmenu "${FILESDIR}/icon/${PN}.desktop" "${PN}.desktop"
   sed -i -e "s:@NAME@:${name}:" -e "s:@ICON@:${icon}:" \
      "${ED}/usr/share/applications/${PN}.desktop" || die
}


So what am I missing to get the SSL keys logging back?

Regards!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21396
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: How to re-enable key logging to $SSLKEYLOGFILE

Unread postby Moonchild » Thu, 09 Mar 2017, 20:58

That patch looks wrong to begin with, since the define is never set when you comment the whole block out.

You'll want to leave the following line uncommented to set it always.

Code: Select all

DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1


Doing that should enable it in the library, at which point code block http://xref.palemoon.org/palemoon-trunk/source/security/nss/lib/ssl/sslsock.c#3440 will kick in and allow logging.

Code: Select all

3440 #ifdef NSS_ALLOW_SSLKEYLOGFILE
3441         ev = PR_GetEnvSecure("SSLKEYLOGFILE");
3442         if (ev && ev[0]) {
3443             ssl_keylog_iob = fopen(ev, "a");
3444             if (!ssl_keylog_iob) {
3445                 SSL_TRACE(("SSL: failed to open key log file"));
3446             } else {
3447                 if (ftell(ssl_keylog_iob) == 0) {
3448                     fputs("# SSL/TLS secrets log file, generated by NSS\n",
3449                           ssl_keylog_iob);
3450                 }
3451                 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
3452             }
3453         }
3454 #endif
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

miroR
Moon lover
Moon lover
Posts: 81
Joined: Tue, 31 May 2016, 19:22

Re: How to re-enable key logging to $SSLKEYLOGFILE

Unread postby miroR » Thu, 09 Mar 2017, 21:25

Moonchild wrote:That patch looks wrong to begin with, since the define is never set when you comment the whole block out.

You'll want to leave the following line uncommented to set it always.

Code: Select all

DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1


I justed wrongly modified it from the patch that I applied (and that has been working for months now!) in Firefox. You are right. In that patch the line you say was left... It's just old age (I'm 60)... I can do things, but I lose some on the way :?

But really thanks for giving more tips to me, and on such short notice! :)

I will study the below...
Moonchild wrote:Doing that should enable it in the library, at which point code block http://xref.palemoon.org/palemoon-trunk/source/security/nss/lib/ssl/sslsock.c#3440 will kick in and allow logging.

Code: Select all

3440 #ifdef NSS_ALLOW_SSLKEYLOGFILE
3441         ev = PR_GetEnvSecure("SSLKEYLOGFILE");
3442         if (ev && ev[0]) {
3443             ssl_keylog_iob = fopen(ev, "a");
3444             if (!ssl_keylog_iob) {
3445                 SSL_TRACE(("SSL: failed to open key log file"));
3446             } else {
3447                 if (ftell(ssl_keylog_iob) == 0) {
3448                     fputs("# SSL/TLS secrets log file, generated by NSS\n",
3449                           ssl_keylog_iob);
3450                 }
3451                 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
3452             }
3453         }
3454 #endif


Thanks a bunch!

miroR
Moon lover
Moon lover
Posts: 81
Joined: Tue, 31 May 2016, 19:22

Re: How to re-enable key logging to $SSLKEYLOGFILE  Topic is solved

Unread postby miroR » Thu, 09 Mar 2017, 22:20

It works, just with that detail that I lost on the way corrected.
So, if anybody out there decrypting traffic, this is the patch that works for me, and the rest is explained in the first post
(
and also it is what worked in Firefox (which I now shut and am back browsing with Palemoon :wave: ):
https://587116.bugs.gentoo.org/attachment.cgi?id=440042
linked from:
https://bugs.gentoo.org/show_bug.cgi?id=587116
)
This is the patch:

Code: Select all

From ab620b30019aed0f04635c057ab9b9a2cb3ef2cf Mon Sep 17 00:00:00 2001
From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
Date: Wed, 8 Mar 2017 22:29:58 +0100
Subject: [PATCH] patched

---
 security/nss/lib/ssl/Makefile | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
index 24fccc5..bdea353 100644
--- a/security/nss/lib/ssl/Makefile
+++ b/security/nss/lib/ssl/Makefile
@@ -40,11 +40,12 @@ endif
 endif
 
 # Enable key logging by default in debug builds, but not opt builds.
+# ( by commenting out the condition, it will be enabled in opt builds too )
 # Logging still needs to be enabled at runtime through env vars.
-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
-ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
+#NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1)
+#ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE))
 DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1
-endif
+#endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
--
2.12.0

My Palemoon is back to logging SSL keys into my $SSLKEYLOGFILE.
Regards!


Return to “Bug reports (Linux & other)”

Who is online

Users browsing this forum: No registered users and 2 guests