[PATCH] SSL: Added SSLKEYLOGFILE key material to debug logging
Maxim Dounin
mdounin at mdounin.ru
Wed Jan 24 09:20:59 UTC 2024
Hello!
On Sun, Jan 21, 2024 at 10:37:24AM +0000, J Carter wrote:
> # HG changeset patch
> # User J Carter <jordanc.carter at outlook.com>
> # Date 1705832811 0
> # Sun Jan 21 10:26:51 2024 +0000
> # Node ID b00332a5253eefb53bacc024c72f55876c2eac6e
> # Parent ee40e2b1d0833b46128a357fbc84c6e23be9be07
> SSL: Added SSLKEYLOGFILE key material to debug logging.
>
> This patch also introduces the debug_keylog error log level flag, which
> may be used to graunually enable or ommit logging of key material via
> error level flags (note, it's always enabled when using
> debug_connection).
>
> Each line of key material is output to the error log as separate log
> message, and is prepended with 'ssl keylog: ' for convenient extraction.
>
> The purpose of logging key material is to allow external tools, such as
> wireshark/tshark, to decrypt captured TLS connections in all situations.
>
> Previously, only TLS 1.2 (and below) connections could be decrypted
> when specific ciphers suites were used, and when the decrypter had
> access to the acting server's TLS certificates and keys. It was not
> possible to decrypt TLS 1.3 traffic without generating SSLKEYLOGFILE on
> peer, or by using other hacks on nginx host (using GDB, or patched ssl
> libraries).
Thanks for the patch.
Logging session keying material is known to be problematic from
ethical point of view. As such, I would rather avoid introducing
relevant functionality in nginx.
[...]
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list