Support SSL_CTX_set_keylog_callback #1349
Conversation
Signed-off-by: Kilian von Pflugk <github@jumoog.io>
Add a note to attach the logs as a file rather than text.
fixed error in comment
SSL_CTX_set_keylog_callback() sets the TLS key logging callback. This callback is called whenever TLS key material is generated or received, in order to allow applications to store this keying material for debugging purposes. Manpage OpenSSL: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_keylog_callback.html SSL_CTX_set_keylog_callback is added to OpenSSL_1_1_1-pre1 openssl/openssl@2faa1b4 Debugging use-case: Use Wireshark to inspect the MQTT connection at the packet level. It is helpful to decrypt the TLS packets. For this Wireshark needs the (Pre-) Master Secret. With this commit you can set the environment variable SSLKEYLOGFILE, give Wireshark the file and examine the decrypted MQTT packets. https://wiki.wireshark.org/TLS Signed-off-by: Patrick Mueller <patrick.mueller3@zf.com>
PatrickHMueller
force-pushed
the
feat/support_SSLKEYLOGFILE
branch
from
165a4a2
to
2b976c1
Compare
|
I see "2 workflows awaiting approval" what are the next steps to do? @icraggs can you help me it's the first PR for this project |
Async sample callback context fix.
Signed-off-by: Michael Bleis <michael.bleis@aracom.de>
| fptr = fopen(sslkeylogfile, "at"); | ||
| if (fptr) | ||
| { | ||
| fprintf(fptr, "%s\n", line); |
There was a problem hiding this comment.
I went through and verified that this is the format that we should be logging, according to the OpenSSL docs:
The key logging callback is called with two items: the ssl object associated with the connection, and line, a string containing the key material in the format used by NSS for its SSLKEYLOGFILE debugging output. To recreate that file, the key logging callback should log line, followed by a newline. line will always be a NULL-terminated string.
| FILE *fptr; | ||
|
|
||
| fptr = fopen(sslkeylogfile, "at"); | ||
| if (fptr) |
There was a problem hiding this comment.
It would be nice to have an error log if the file failed to open, for example due to a permissions problem
- Error log if keylog file can't be opened.
SSL_CTX_set_keylog_callback() sets the TLS key logging callback. This callback is called whenever TLS key material is generated or received, in order to allow applications to store this keying material for debugging purposes.
Manpage OpenSSL:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_keylog_callback.html
Debugging use-case:
Use Wireshark to inspect the MQTT connection at the packet level. It is helpful to decrypt the TLS packets. For this Wireshark needs the (Pre-) Master Secret. With this commit you can set the environment variable SSLKEYLOGFILE, give Wireshark the file and examine the decrypted MQTT packets.
https://wiki.wireshark.org/TLS
Thank you for your interest in this project managed by the Eclipse Foundation.
The guidelines for contributions can be found in the CONTRIBUTING.md file.
At a minimum, you must sign the Eclipse ECA, and sign off each commit.
To complete and submit a ECA, log into the Eclipse projects forge
You will need to create an account with the Eclipse Foundation if you have not already done so.
Be sure to use the same email address when you register for the account that you intend to use when you commit to Git.
Go to https://accounts.eclipse.org/user/eca to sign the Eclipse ECA.