On Tue, Feb 26, 2013 at 11:00:52PM -0500, System Administrator wrote:
> Has anyone been able to make a *usable* ssldump?
>
> When trying to run the stock 5.2 (amd64) package I always get
> ERROR: Couldn't create network handler
> According to my research, that error is a known symptom of blindly
> building ssldump against any version of OpenSSL newer than 0.9.7 --
> i.e. the build process completes and a binary is generated but every
> attempt to use it results in the above error.
>
> Unfortunately, my research has not turned up any published patches to
> get over the problem... hoping someone else has had more success.
>
> Alternatively looking for suggestions for tools/methodology to diagnose
> a failing reverse proxy connection to an https backend server (with
> possibly a self-signed certificate)
Looking at FreeBSD's ports, in 2008 they added a patch to reinstate
an option to use nroff, drop gmake as a dependency, and fix the
error in creation of network hander.
I created a simple patch based on the work to ssl/ssldecode.c that
makes a small change, this makes ssldump start and listens without
any errors.
However, any time i visit an https page to test, the program hits
a SIGSEGV:
Program received signal SIGSEGV, Segmentation fault.
strlen (str=0x58 <Address 0x58 out of bounds>)
at /usr/src/lib/libc/string/strlen.c:43
I tried also using the FreeBSD patch for base/tcppack.c, and its
included in the below diff, but it didn't seem to help anything.
Maybe someone else can help further for that. I only tested on
my laptop with a trunk(4) interface on i386.
Also I tried to remove gmake as a dep but apparently FreeBSD's
make must impliment stuff gmake has as it definitely fails without
it here still.
Cheers
-ryan
? ssldump.diff
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/ssldump/Makefile,v
retrieving revision 1.13
diff -u -p -u -p -r1.13 Makefile
--- Makefile 19 Nov 2010 22:31:38 -0000 1.13
+++ Makefile 27 Feb 2013 08:34:35 -0000
@@ -4,7 +4,7 @@ COMMENT= SSLv3/TLS network protocol anal
VERSION= 0.9b3
DISTNAME= ssldump-${VERSION}
-REVISION= 0
+REVISION= 1
CATEGORIES= net
HOMEPAGE= http://www.rtfm.com/ssldump/
@@ -20,7 +20,7 @@ WANTLIB= c crypto m pcap ssl
MASTER_SITES= http://www.rtfm.com/ssldump/
-USE_GMAKE= Yes
+USE_GMAKE = Yes
USE_GROFF = Yes
CONFIGURE_STYLE= gnu dest
CONFIGURE_ARGS+= --with-openssl-inc=/usr/include \
Index: patches/patch-base_tcppack_c
===================================================================
RCS file: patches/patch-base_tcppack_c
diff -N patches/patch-base_tcppack_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-base_tcppack_c 27 Feb 2013 08:34:36 -0000
@@ -0,0 +1,65 @@
+$OpenBSD$
+--- base/tcppack.c.orig Mon Sep 9 14:02:58 2002
++++ base/tcppack.c Wed Feb 27 00:18:32 2013
+@@ -222,7 +222,6 @@ static int process_data_segment(conn,handler,p,stream,
+ int r,_status;
+ tcp_seq seq,right_edge;
+ segment _seg;
+- segment *seg,*nseg=0;
+ long l;
+
+ l=p->len - p->tcp->th_off * 4;
+@@ -273,35 +272,39 @@ static int process_data_segment(conn,handler,p,stream,
+ if(SEQ_LT(stream->seq,seq)){
+ /* Out of order segment */
+ tcp_seq left_edge;
++ segment **ssn, *nseg=0;
+
+- for(seg=0;seg;seg=seg?seg->next:stream->oo_queue){
+- if(seg->next->s_seq > seq)
++ left_edge = seq;
++ for(ssn=&stream->oo_queue;*ssn;ssn=&(*ssn)->next){
++ if((*ssn)->s_seq > seq)
+ break;
++ left_edge = (*ssn)->s_seq + (*ssn)->len;
+ }
+-
++ /*
++ if seg == 0
++ oo_queue is empty - place out of order segment into oo_queue
++ else
++ place out of order segment into oo_queue after seg
++ */
++
+ if(!(nseg=(segment *)calloc(sizeof(segment),1)))
+ ABORT(R_NO_MEMORY);
+ if(r=packet_copy(p,&nseg->p))
+ ABORT(r);
+ nseg->s_seq=seq;
+-
++
+ /*Insert this segment into the reassembly queue*/
+- if(seg){
+- nseg->next=seg->next;
+- seg->next=nseg;
+- }
+- else{
+- nseg->next=stream->oo_queue;
+- stream->oo_queue=nseg;
+- }
++ nseg->next = *ssn;
++ *ssn = nseg;
+
+- left_edge=seg?seg->s_seq:stream->seq;
+ STRIM(left_edge,nseg);
+ }
+ else{
+ /*First segment -- just thread the unallocated data on the
+ list so we can pass to the analyzer*/
+- _seg.next=0;
++ segment _seg, *seg;
++
++ _seg.next=stream->oo_queue;
+ _seg.p=p;
+ _seg.s_seq=seq;
+
Index: patches/patch-ssl_ssldecode_c
===================================================================
RCS file: /cvs/ports/net/ssldump/patches/patch-ssl_ssldecode_c,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-ssl_ssldecode_c
--- patches/patch-ssl_ssldecode_c 16 Jun 2002 19:43:39 -0000 1.1
+++ patches/patch-ssl_ssldecode_c 27 Feb 2013 08:34:37 -0000
@@ -1,6 +1,6 @@
$OpenBSD: patch-ssl_ssldecode_c,v 1.1 2002/06/16 19:43:39 pvalchev Exp $
---- ssl/ssldecode.c.orig Sun Jun 16 13:41:46 2002
-+++ ssl/ssldecode.c Sun Jun 16 13:42:10 2002
+--- ssl/ssldecode.c.orig Fri Aug 16 18:33:17 2002
++++ ssl/ssldecode.c Tue Feb 26 23:47:57 2013
@@ -51,6 +51,7 @@
#include <openssl/ssl.h>
#include <openssl/hmac.h>
@@ -9,3 +9,15 @@ $OpenBSD: patch-ssl_ssldecode_c,v 1.1 20
#include <openssl/x509v3.h>
#endif
#include "ssldecode.h"
+@@ -130,8 +131,9 @@ int ssl_decode_ctx_create(dp,keyfile,pass)
+ #ifdef OPENSSL
+ ssl_decode_ctx *d=0;
+ int r,_status;
+-
+- SSLeay_add_all_algorithms();
++
++ SSL_library_init();
++ OpenSSL_add_all_algorithms();
+ if(!(d=(ssl_decode_ctx *)malloc(sizeof(ssl_decode_ctx))))
+ ABORT(R_NO_MEMORY);
+ if(!(d->ssl_ctx=SSL_CTX_new(SSLv23_server_method())))
