Bug 63391 - Provide ability to log key material for session decryption
Summary: Provide ability to log key material for session decryption
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-29 14:16 UTC by Hubert Kario
Modified: 2019-11-14 14:29 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hubert Kario 2019-04-29 14:16:03 UTC
GnuTLS and NSS provide native support for SSLKEYLOGFILE[1,2], allowing seamless support for logging keys necessary to decrypt the TLS session for debugging.

Unfortunately OpenSSL developers decided to expose it using an API[3], not through environment variable. Given that using RSA key exchange and using server private key to decrypt a session is no longer possible in TLS 1.3, I'd like to ask for support of SSLKEYLOGFILE in mod_ssl too.

Using that environment variable name does look like it is becoming a standard: curl[4] does implement it like that.


 1 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
 2 - https://gnutls.org/manual/html_node/Debugging-and-auditing.html
 3 - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_keylog_callback.html
 4 - https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/
Comment 1 Joe Orton 2019-04-29 16:29:39 UTC
So the idea would be we use that OpenSSL API unconditionally if SSLKEYLOGFILE is set in the environment?
Comment 2 Hubert Kario 2019-04-30 12:57:26 UTC
(In reply to Joe Orton from comment #1)
> So the idea would be we use that OpenSSL API unconditionally if
> SSLKEYLOGFILE is set in the environment?

yes, that's how NSS-, GnuTLS- or curl-using application behave
Comment 3 Joe Orton 2019-11-14 14:29:02 UTC
https://github.com/apache/httpd/pull/74