[Bug 63391] New: Provide ability to log key material for session decryption

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63391] New: Provide ability to log key material for session decryption

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391

            Bug ID: 63391
           Summary: Provide ability to log key material for session
                    decryption
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

GnuTLS and NSS provide native support for SSLKEYLOGFILE[1,2], allowing seamless
support for logging keys necessary to decrypt the TLS session for debugging.

Unfortunately OpenSSL developers decided to expose it using an API[3], not
through environment variable. Given that using RSA key exchange and using
server private key to decrypt a session is no longer possible in TLS 1.3, I'd
like to ask for support of SSLKEYLOGFILE in mod_ssl too.

Using that environment variable name does look like it is becoming a standard:
curl[4] does implement it like that.


 1 -
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
 2 - https://gnutls.org/manual/html_node/Debugging-and-auditing.html
 3 -
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_keylog_callback.html
 4 - https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63391] Provide ability to log key material for session decryption

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391

--- Comment #1 from Joe Orton <[hidden email]> ---
So the idea would be we use that OpenSSL API unconditionally if SSLKEYLOGFILE
is set in the environment?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63391] Provide ability to log key material for session decryption

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391

--- Comment #2 from Hubert Kario <[hidden email]> ---
(In reply to Joe Orton from comment #1)
> So the idea would be we use that OpenSSL API unconditionally if
> SSLKEYLOGFILE is set in the environment?

yes, that's how NSS-, GnuTLS- or curl-using application behave

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]