GnuTLS and NSS provide native support for SSLKEYLOGFILE[1,2], allowing seamless support for logging keys necessary to decrypt the TLS session for debugging. Unfortunately OpenSSL developers decided to expose it using an API[3], not through environment variable. Given that using RSA key exchange and using server private key to decrypt a session is no longer possible in TLS 1.3, I'd like to ask for support of SSLKEYLOGFILE in mod_ssl too. Using that environment variable name does look like it is becoming a standard: curl[4] does implement it like that. 1 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format 2 - https://gnutls.org/manual/html_node/Debugging-and-auditing.html 3 - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_keylog_callback.html 4 - https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/
So the idea would be we use that OpenSSL API unconditionally if SSLKEYLOGFILE is set in the environment?
(In reply to Joe Orton from comment #1) > So the idea would be we use that OpenSSL API unconditionally if > SSLKEYLOGFILE is set in the environment? yes, that's how NSS-, GnuTLS- or curl-using application behave
https://github.com/apache/httpd/pull/74
https://github.com/apache/httpd/pull/74 got merged
It is only merged to trunk, but not backported to 2.4.x yet.