Skip to main content

HTTP and HTTPS Event Tracing

CI/CD processes often connect to multiple services and invoke various APIs to transfer data. These interactions typically occur over HTTP or HTTPS. While HTTP traffic is unencrypted and straightforward to trace, HTTPS introduces complexity due to encryption.

HTTPS relies on TLS (Transport Layer Security) to encrypt all aspects of the communication, including sensitive details like request paths (e.g., /v1/auth/login) and parameters. This encryption poses challenges when trying to trace the underlying traffic.

eBPF Uprobes

eBPF uprobes enable dynamic instrumentation of user-space functions for tracing and debugging without modifying application binaries. This capability is especially useful for observing high-level logic that isn’t visible in kernel mode.

For instance, by instrumenting the SSL_read and SSL_write functions in the libssl.so library, you can monitor HTTPS/TLS connections and capture encrypted payloads managed by libraries like OpenSSL.

How Cimon Solves It

Cimon leverages eBPF Uprobes to intercept TLS-related functions, allowing it to trace connections before the encryption and after the decryption. One key challenge is instrumenting libraries like OpenSSL, which can be integrated into applications in different ways. For example:

  • Applications such as python3 load libssl.so dynamically from the operating system. In these cases, Cimon scans common library directories (e.g., /usr/lib) to locate and instrument the necessary libraries.
  • Some applications, like node, compile OpenSSL directly into the executable. Here, Cimon hooks the desired functions within the executable itself.
  • In dynamic settings such as Kubernetes clusters, where each pod may use a different version of the library, Cimon tracks and instruments libraries as they are loaded.

This discovery module ensures that Cimon can handle a variety of integration scenarios, providing robust TLS tracing across diverse environments.

Limitations and Future Support

Implementing comprehensive HTTPS tracing is inherently complex due to the variety of libraries and deployment environments. Currently, Cimon supports:

  • HTTP/1.1 protocol
  • OpenSSL via dynamic linking
  • OpenSSL via static linking

Future enhancements will aim to include:

  • Support for GnuTLS and other encryption libraries
  • HTTP/2 protocol tracing
  • Go TLS for monitoring Golang applications