库版本需要和bpf文件版本严格对应吗？

[fantasyplus]

Develop>./ecapture tls -m key --keylogfile sslkey_linux.log
2025-06-18T17:22:37+08:00 INF AppName="eCapture(旁观者)"
2025-06-18T17:22:37+08:00 INF HomePage=https://ecapture.cc
2025-06-18T17:22:37+08:00 INF Repository=https://github.com/gojue/ecapture
2025-06-18T17:22:37+08:00 INF Author="CFC4N cfc4ncs@gmail.com"
2025-06-18T17:22:37+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-06-18T17:22:37+08:00 INF Version=linux_amd64:v1.0.2:6.8.0-1027-azure
2025-06-18T17:22:37+08:00 INF Listen=localhost:28256
2025-06-18T17:22:37+08:00 INF eCapture running logs logger=
2025-06-18T17:22:37+08:00 INF the file handler that receives the captured event eventCollector=
2025-06-18T17:22:37+08:00 INF listen=localhost:28256
2025-06-18T17:22:37+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-06-18T17:22:37+08:00 INF Kernel Info=5.10.64 Pid=37087
2025-06-18T17:22:37+08:00 INF TruncateSize=0 Unit=bytes
2025-06-18T17:22:37+08:00 WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2025-06-18T17:22:37+08:00 INF BTF bytecode mode: CORE. btfMode=0
2025-06-18T17:22:37+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=sslkey_linux.log
2025-06-18T17:22:37+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-18T17:22:37+08:00 INF Module.Run()
2025-06-18T17:22:37+08:00 INF origin versionKey="openssl 1.0.2u" versionKeyLower="openssl 1.0.2u"
2025-06-18T17:22:37+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.0.2u"
2025-06-18T17:22:37+08:00 INF openssl version is less than 1.0.* hookFunc=SSL_state oldHookFunc=SSL_in_before openssl version="openssl 1.0.2u"
2025-06-18T17:22:37+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/lib64/libssl.so.1.1 masterHookFuncs=["SSL_get_wbio","SSL_state","SSL_do_handshake"]
2025-06-18T17:22:37+08:00 INF target all process.
2025-06-18T17:22:37+08:00 INF target all users.
2025-06-18T17:22:37+08:00 INF setupManagers eBPFProgramType=KeyLog
2025-06-18T17:22:37+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_0_2a_kern_core.o
2025-06-18T17:22:38+08:00 INF perfEventReader created mapSize(MB)=4
2025-06-18T17:22:38+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

openssl版本为library version="openssl 1.0.2u"，但是ecapture匹配的是bpfFileName=user/bytecode/openssl_1_0_2a_kern_core.o。实测下来无法获取sslkey。

[dosubot]

库版本和BPF文件版本确实需要严格对应。eCapture 的实现是根据 OpenSSL/BoringSSL 的具体版本来选择和加载对应的 eBPF 字节码文件（.o 文件），没有“兼容相近版本”或自动 fallback 的机制。如果 OpenSSL 版本和 BPF 文件版本不完全匹配，即使主版本号一致，也很可能导致无法抓取密钥或抓取失败，这与你遇到的情况一致（比如 1.0.2u 对应 1.0.2a 的 BPF 文件，实际无法抓取）参考。

你可以尝试用 --ssl_version 参数强制指定版本，但如果没有完全匹配的 BPF 文件，通常还是无法正常工作。建议确认你的 OpenSSL 版本和 eCapture 支持的 BPF 文件完全一致，必要时升级 eCapture 或等待支持新版本的 BPF 文件参考。

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[cfc4n]

是的，需要严格的对应。 不过 1.0.2a - 1.0.2u 类库的BPF文件都应该是openssl_1_0_2a_kern.o，这个映射关系没问题的。

ecapture/user/module/probe_openssl_lib.go

Lines 175 to 178 in 9cd91ad

	// openssl 1.0.2a - 1.0.2u
	for ch := 'a'; ch <= MaxSupportedOpenSSL102Version; ch++ {
	m.sslVersionBpfMap["openssl 1.0.2"+string(ch)] = "openssl_1_0_2a_kern.o"
	}

建议先用ecapture tls -m text 验证下是否正常工作。

[fantasyplus]

@cfc4n 使用text打印如下

2025-06-19T10:49:34+08:00 INF AppName="eCapture(旁观者)"
2025-06-19T10:49:34+08:00 INF HomePage=https://ecapture.cc
2025-06-19T10:49:34+08:00 INF Repository=https://github.com/gojue/ecapture
2025-06-19T10:49:34+08:00 INF Author="CFC4N cfc4ncs@gmail.com"
2025-06-19T10:49:34+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-06-19T10:49:34+08:00 INF Version=linux_amd64:v1.0.2:6.8.0-1027-azure
2025-06-19T10:49:34+08:00 INF Listen=localhost:28256
2025-06-19T10:49:34+08:00 INF eCapture running logs logger=
2025-06-19T10:49:34+08:00 INF the file handler that receives the captured event eventCollector=
2025-06-19T10:49:34+08:00 INF Kernel Info=5.10.64 Pid=3446
2025-06-19T10:49:34+08:00 INF TruncateSize=0 Unit=bytes
2025-06-19T10:49:34+08:00 WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
2025-06-19T10:49:34+08:00 INF BTF bytecode mode: CORE. btfMode=0
2025-06-19T10:49:34+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-06-19T10:49:34+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-06-19T10:49:34+08:00 INF Module.Run()
2025-06-19T10:49:34+08:00 INF origin versionKey="openssl 1.0.2u" versionKeyLower="openssl 1.0.2u"
2025-06-19T10:49:34+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.0.2u"
2025-06-19T10:49:34+08:00 INF openssl version is less than 1.0.* hookFunc=SSL_state oldHookFunc=SSL_in_before openssl version="openssl 1.0.2u"
2025-06-19T10:49:34+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_state","SSL_do_handshake"] binrayPath=/usr/lib64/libssl.so.1.1
2025-06-19T10:49:34+08:00 INF target all process.
2025-06-19T10:49:34+08:00 INF target all users.
2025-06-19T10:49:34+08:00 INF setupManagers eBPFProgramType=Text
2025-06-19T10:49:34+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_0_2a_kern_core.o
2025-06-19T10:49:34+08:00 INF listen=localhost:28256
2025-06-19T10:49:34+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-06-19T10:49:35+08:00 INF perfEventReader created mapSize(MB)=4
2025-06-19T10:49:35+08:00 INF perfEventReader created mapSize(MB)=4
2025-06-19T10:49:35+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

不过我使用curl和openssl请求www.baidu.com，均提示unable to get local issuer certificate，是否和这个有关？
curl使用-k参数可以成功访问，但是ecapture无反应。

curl日志：

curl https://www.baidu.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

openssl日志：

openssl s_client -connect www.baidu.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:/C=CN/ST=beijing/L=beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd/CN=baidu.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
2 s:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

[cfc4n]

不过我使用curl和openssl请求www.baidu.com，均提示unable to get local issuer certificate，是否和这个有关？
curl使用-k参数可以成功访问，但是ecapture无反应。

应该跟这个无关。你需要关注一下，curl这个程序，使用的libssl是不是 /usr/lib64/libssl.so.1.1 这个。

[fantasyplus]

不过我使用curl和openssl请求www.baidu.com，均提示unable to get local issuer certificate，是否和这个有关？
curl使用-k参数可以成功访问，但是ecapture无反应。

应该跟这个无关。你需要关注一下，curl这个程序，使用的libssl是不是 /usr/lib64/libssl.so.1.1 这个。

感谢回答，这个我看过的，md5sum出来，curl和ecapture使用的libssl是一样的。