Keylog mode key acquisition timing is too late in Apache 2

[SunJal]

Important

You can mention the @dosu AI robot, which can quickly answer your questions.

Describe the bug
I visited an HTTPS server configured with Apache 2 using OpenSSL and found that the three functions of the current keylog mode Hook cannot correctly read the key after the handshake, but instead obtain the key by calling the SSL_in_before function in SSL_shutdown when the connection is closed.
To Reproduce
Steps to reproduce the behavior:

1.Run Apache 2 and Ecapture
2.Initiate requests using long connections
3.Observe the output of ecapture when the connection is closed

Screenshots

Linux Server/Android :

• Device: ubuntu-20.10
• Kernel Info: Linux 5.8
• Apache2 Version: 2.4.46

[dosubot]

Hello, @SunJal! I'm here to help you with any bugs or questions you have. I'm a bot named Dosu, and I can assist you while you wait for a human maintainer.

The issue you're experiencing with the keylog mode in ecapture seems to be related to the timing of key acquisition during SSL/TLS handshakes when using Apache 2 with OpenSSL. The keys are being captured too late, specifically during the SSL_shutdown process, rather than immediately after the handshake.

This behavior might be due to how ecapture hooks into the OpenSSL functions. The tool sets up probes on functions like SSL_read and SSL_write to capture data during the handshake. However, if the keys are only being captured during SSL_shutdown, it suggests that the probes might not be triggering at the expected times during the handshake process.

To address this, you might want to investigate the following:

1. Probe Setup: Ensure that the probes are correctly set up on the relevant OpenSSL functions. The timing of when these probes are triggered is crucial for capturing the keys immediately after the handshake.

2. Function Hooks: Check if the functions being hooked are the right ones for the version of OpenSSL you are using. Different versions might have slight variations in function calls during the handshake.

3. eBPF Program: Review the eBPF program logic to ensure it is correctly processing the captured data and that the timing aligns with the handshake events.

4. Configuration: Verify that the ecapture configuration is set up correctly for your environment, especially regarding the keylog mode and any related parameters.

If these steps do not resolve the issue, it might require further investigation into the specific implementation details of ecapture and how it interacts with the OpenSSL library in your setup.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}