Keylog mode key acquisition timing is too late in Apache 2

[SunJal]

Important

You can mention the @dosu AI robot, which can quickly answer your questions.

Describe the bug
I visited an HTTPS server configured with Apache 2 using OpenSSL and found that the three functions of the current keylog mode Hook cannot correctly read the key after the handshake, but instead obtain the key by calling the SSL_in_before function in SSL_shutdown when the connection is closed.
To Reproduce
Steps to reproduce the behavior:

1.Run Apache 2 and Ecapture
2.Initiate requests using long connections
3.Observe the output of ecapture when the connection is closed

Screenshots

Linux Server/Android :

• Device: ubuntu-20.10
• Kernel Info: Linux 5.8
• Apache2 Version: 2.4.46

[dosubot]

Hello, @SunJal! I'm here to help you with any bugs or questions you have. I'm a bot named Dosu, and I can assist you while you wait for a human maintainer.

The issue you're experiencing with the keylog mode in ecapture seems to be related to the timing of key acquisition during SSL/TLS handshakes when using Apache 2 with OpenSSL. The keys are being captured too late, specifically during the SSL_shutdown process, rather than immediately after the handshake.

This behavior might be due to how ecapture hooks into the OpenSSL functions. The tool sets up probes on functions like SSL_read and SSL_write to capture data during the handshake. However, if the keys are only being captured during SSL_shutdown, it suggests that the probes might not be triggering at the expected times during the handshake process.

To address this, you might want to investigate the following:

1. Probe Setup: Ensure that the probes are correctly set up on the relevant OpenSSL functions. The timing of when these probes are triggered is crucial for capturing the keys immediately after the handshake.

2. Function Hooks: Check if the functions being hooked are the right ones for the version of OpenSSL you are using. Different versions might have slight variations in function calls during the handshake.

3. eBPF Program: Review the eBPF program logic to ensure it is correctly processing the captured data and that the timing aligns with the handshake events.

4. Configuration: Verify that the ecapture configuration is set up correctly for your environment, especially regarding the keylog mode and any related parameters.

If these steps do not resolve the issue, it might require further investigation into the specific implementation details of ecapture and how it interacts with the OpenSSL library in your setup.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[cfc4n]

Public clouds rarely provide 20.10 images, and I can't quickly build an environment. Can you provide an SSH account? If yes, please send it to my email.

📧 : Y2ZjNG4uY3NAZ21haWwuY29t

[cfc4n]

Does it happen on ubuntu 20.04?

[SunJal]

Does it happen on ubuntu 20.04?
Ubuntu 20.04 will also appear. You can follow the steps below to reproduce it on 20.04

1. sudo apt install apache2
2. sudo a2enmod ssl
3. sudo systemctl restart apache2
4. Start ecapture
5. Initiate a long connection, do not close the connection
   You can observe that ecapture does not output when the connection is not closed

[cfc4n]

Sorry, the error cannot be reproduced according to the above steps, and other errors were reported.

wget https://localhost
--2025-03-21 23:30:29--  https://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Unable to establish SSL connection.

...


openssl s_client -connect image.cnxct.com:443 -servername image.cnxct.com -showcerts
CONNECTED(00000003)
140314634110272:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 307 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I tried to configure the correct SSL certificate, but it still failed. The SSL certificate configuration for apache2 is too complicated, and I don't have enough energy to support it. I suggest you solve it yourself, or provide a set of reproducible SSH accounts, and I will debug it.

[cfc4n]

I tried to configure the correct SSL certificate, but it still failed. The SSL certificate configuration for apache2 is too complicated, and I don't have enough energy to support it. I suggest you solve it yourself, or provide a set of reproducible SSH accounts, and I will debug it.

@xiziyunqi105 参考这里，大概是跟你遇到了一样的问题。 能不能提供一个SSH帐号，我来分析一下？

[xiziyunqi105]

I tried to configure the correct SSL certificate, but it still failed. The SSL certificate configuration for apache2 is too complicated, and I don't have enough energy to support it. I suggest you solve it yourself, or provide a set of reproducible SSH accounts, and I will debug it.

@xiziyunqi105 参考这里，大概是跟你遇到了一样的问题。 能不能提供一个SSH帐号，我来分析一下？

OK 发你这个邮箱了cfc4n.cs@gmail.com

[SunJal]

I tried to configure the correct SSL certificate, but it still failed. The SSL certificate configuration for apache2 is too complicated, and I don't have enough energy to support it. I suggest you solve it yourself, or provide a set of reproducible SSH accounts, and I will debug it.

@xiziyunqi105 参考这里，大概是跟你遇到了一样的问题。 能不能提供一个SSH帐号，我来分析一下？

本质上是因为选择Hook的函数在SSL_do_handshake中密钥生成后不会被调用。nginx可以支持是由于nginx用SSL_set_info_callback设置了回调函数，这个函数中调用了SSL_get_wbio，并且设置的这个回调函数在state_machine中调用的read_state_machine和write_state_machine中会调用

[cfc4n]

感谢分析，@SunJal 你认为在apache的场景里，最合适的HOOK函数是哪个？