# TLS ### WolfSSL ```bash git clone https://github.com/wolfSSL/wolfssl --depth 1 cd wolfssl sh autogen.sh ./configure --enable-all --enable-all-crypto --disable-shared --prefix=/opt/wolfssl-rs/ make sudo make install ``` ## Reproduce ### Record On the controler machine. #### Installation Build netreplay and copy it in this folder. Authorize netreplay to bind to ports 80 and 443: ```bash sudo setcap CAP_NET_BIND_SERVICE=+eip netreplay ``` Open Firefox with a dedicated profile: (create the profile using the GUI if it doesn't exist) ```bash firefox -P tlsbench ``` In settings, disable DNS security. In `about:config`, set `network.dns.forceResolve` to `127.0.0.1`. Run the shell command: ```bash python exp.py make debug -c ``` In Firefox, go to security settings, Certificates, import `/dev/shm/exp/certs/prime256v1/ca.crt` and trust it for identifying websites. #### After installation Stop anything running on ports 80 or 443. Start the record proxy: ```bash ./netreplay records/mynewrecord record ``` Just browse. Any traffic will be recorded. Terminate netplayer with CTRL+C when finished. ### Measure Copy the tlsbench folder on the target. Build netreplay with the wanted cryptographic backends on the target (one build per backend), and place each version in tlsbench, named `netreplay-aws-lc`, `netreplay-boring`, etc. Install dependencies on the target: ```bash sudo apt install acct dtach sudo chmod +s /sbin/sa ``` Modify experiment parameters at the top of `exp.py` to suit your setup and the wanted experiments. Run: ```bash python exp.py make pi3 -c python exp.py send pi3 python exp.py run pi3 --idle ``` It may be needed to keep an SSH connection to the target open during the experiment, and to set `RemoveIPC=no` in `/etc/systemd/logind.conf` (then `systemctl restart systemd-logind`). ### Profile Profile code execution on the local machine. Install sa: ```bash sudo apt install acct dtach python3-invoke python3-fabric sudo chmod +s /sbin/sa ``` Install OpenSSL with debug symbols: ```bash # Options from Debian build # Debian package libssl3t64 -> Developer Information -> buildd reproducibility -> trixie rbuild # https://tests.reproducible-builds.org/debian/rb-pkg/trixie/amd64/openssl.html /usr/bin/perl ./Configure --release -g --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu shared no-idea no-mdc2 no-rc5 no-ssl3 no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-tfo enable-zstd enable-zlib enable-fips enable-ec_nistp_64_gcc_128 # Or, if OpenSSL 1.1: /usr/bin/perl ./Configure --release -g --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu shared no-idea no-mdc2 no-rc5 no-ssl3 no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-zlib enable-ec_nistp_64_gcc_128 linux-x86_64 ``` To build netreplay with this openssl: ```bash OPENSSL_LIB_DIR=/home/pi/reps/openssl-openssl-3.6.1/ OPENSSL_DIR=/home/pi/reps/openssl-openssl-3.6.1/ cargo build --release ``` Authorize non-root users to use perf: ```bash sudo sysctl kernel.perf_event_paranoid=-1 ``` Run: ```bash python exp.py make local -c python exp.py run local python plots.py prof ``` ### RAPL ```bash gcc -O3 powercap.c -o powercap sudo chown root powercap sudo chmod u+s powercap ``` ### Grid5000 ```bash ssh nancy.g5k oarsub -q default -l host=2,walltime=2 -p "wattmeter=YES" -I # Check the name of the other node in https://intranet.grid5000.fr/oar/Lyon/drawgantt-svg/ # Let's call them p1 and p2 ping p2 # Note p2 addr to exp.py curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh pip3 install fabric python exp.py make g5k -c python exp.py send g5k # Notes scp /lib/x86_64-linux-gnu/libssl.so.3.6 nancy.g5k:~/ scp /lib/x86_64-linux-gnu/libcrypto.so.3.6 nancy.g5k:~/ scp records/wikipedia nancy.g5k:tlsbench/records/ ``` #### Wattmetre API timestamp at Paris time. https://api.grid5000.fr/stable/sites/nancy/metrics?nodes=gros-69&metrics=bmc_node_power_watt&start_time=2026-02-26T14:00&end_time=2026-02-26T14:40