Need some help for TLS decryption failure

liuchuang · March 18, 2025, 5:26am

Hi, I’m try TLS decryption failures, and based on the btest code, I suspect it’s related to the macro definition
# @TEST-REQUIRES: grep -q "#define OPENSSL_HAVE_KDF_H" $BUILD/zeek-config.h.

In my zeek-config.h file, the relevant content is:

86 /* openssl/kdf.h for TLS PRF (key derivation) */
87 /* #undef OPENSSL_HAVE_KDF_H */

The errors in my CMakeError.log are:

3203 In file included from /home/sxx/code/github/zeek/build/CMakeFiles/CheckIncludeFiles/OPENSSL_HAVE_KDF_H.c:2:
3204 /usr/include/openssl/kdf.h:33:46: error: unknown type name ‘va_list’
3205  int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);
3206                                              ^~~~~~~
3207 /usr/include/openssl/kdf.h:33:46: note: ‘va_list’ is defined in header ‘<stdarg.h>’; did you forget to ‘#include <stdarg.h>’?
3208 /usr/include/openssl/kdf.h:15:1:
3209 +#include <stdarg.h>
3210 # ifdef __cplusplus
3211 /usr/include/openssl/kdf.h:33:46:
3212  int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);

My Zeek version is 7.0.4, OpenSSL 1.1.1k, kernel 4.18.0-305.3.1.el8.x86_64. How should I fix this? thankyou for help.

johanna · March 18, 2025, 10:50am

For reproduction - which Linux distribution is this?

Did you modify the Zeek source tree in any way before trying compilation?

Also - just to temper expectations: please note that the TLS decryption feature in Zeek is currently not very useful. It’s more of an experiment, and supports decryption for exactly one TLS cipher in one TLS version. This is not a combination that will commonly be seen in traffic. Furthermore, even if the cipher and versions fit, you will have to provide the session key for every single connection, so that Zeek can decrypt the connection. This is not trivial to accomplish.

liuchuang · March 18, 2025, 12:12pm

Thank you for your reply. yes, I understand it only supports specific algorithms, and not modified the Zeek source code,CentOS Linux release 8.4.2105.
by using btest pcap and key files. or, to put it another way, I would like to know how to debug or where to get the decrytion error message and find the possible reasons for decryption failures. The -B dpd output appears to be unclear.

johanna · March 18, 2025, 12:17pm

Thank you

CentOS 8, including CentOS 8.4 has been EOL since December 2021. We do no longer verify that Zeek builds against it, or really support builds against it.

The build error you encounter also seems like a distribution error, not like anything that directly has something to do with Zeek.

Is there any chance that you can do this on a more modern distribution?

Topic		Replies	Views
Help, TLS Decryption function is not work Zeek	1	52	December 20, 2024
compile errors with master Zeek	1	93	May 6, 2022
Zeek Newsletter - Issue 16 - February - March 2022 Zeek newsletter	1	175	May 6, 2022
Build errors in zeek-netmap for Zeek 7.0.1 under FreeBSD14	1	31	September 6, 2024
Some wrong in "ssl.og" Zeek	2	232	August 15, 2023

Need some help for TLS decryption failure

Related topics