You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/06/21 09:08:34 UTC

[tomcat-native] branch master updated (02fcf97 -> 38f345d)

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git.


    from 02fcf97  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63500
     new e55f56a  Add support for TLS key logging
     new 38f345d  Add support for TLS key logging when using OpenSSL 1.1.1 or later.

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 native/include/ssl_private.h      |  7 +++++++
 native/src/ssl.c                  | 44 +++++++++++++++++++++++++++++++++++++++
 native/src/sslcontext.c           |  4 ++++
 xdocs/miscellaneous/changelog.xml |  5 +++++
 4 files changed, 60 insertions(+)


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[tomcat-native] 01/02: Add support for TLS key logging

Posted by ma...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git

commit e55f56a28753c6abe3a9198a53b4de0c9a0ffc9a
Author: John Kelly <jo...@gmail.com>
AuthorDate: Tue May 21 12:08:18 2019 +0100

    Add support for TLS key logging
---
 native/include/ssl_private.h |  7 +++++++
 native/src/ssl.c             | 44 ++++++++++++++++++++++++++++++++++++++++++++
 native/src/sslcontext.c      |  4 ++++
 3 files changed, 55 insertions(+)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index d640e26..d88e393 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -241,6 +241,10 @@
 #define TLS_server_method                SSLv23_server_method
 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#define HAVE_KEYLOG_CALLBACK
+#endif
+
 #define MAX_ALPN_NPN_PROTO_SIZE 65535
 #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL            1
 
@@ -387,6 +391,9 @@ int         SSL_rand_seed(const char *file);
 int         SSL_callback_next_protos(SSL *, const unsigned char **, unsigned int *, void *);
 int         SSL_callback_select_next_proto(SSL *, unsigned char **, unsigned char *, const unsigned char *, unsigned int,void *);
 int         SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
+#ifdef HAVE_KEYLOG_CALLBACK
+void        SSL_callback_add_keylog(SSL_CTX *);
+#endif
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) && ! (defined(WIN32) || defined(WIN64))
 unsigned long SSL_ERR_get(void);
diff --git a/native/src/ssl.c b/native/src/ssl.c
index e4a5f76..9dbdcd4 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -34,6 +34,18 @@ extern apr_pool_t *tcn_global_pool;
 ENGINE *tcn_ssl_engine = NULL;
 tcn_pass_cb_t tcn_password_callback;
 
+#ifdef HAVE_KEYLOG_CALLBACK
+static BIO *key_log_file = NULL;
+
+static void ssl_keylog_callback(const SSL *ssl, const char *line)
+{
+    if (key_log_file && line && *line) {
+        BIO_puts(key_log_file, line);
+        BIO_puts(key_log_file, "\n");
+    }
+}
+#endif
+
 /* From netty-tcnative */
 static jclass byteArrayClass;
 static jclass stringClass;
@@ -286,6 +298,15 @@ static void free_dh_params(void)
     }
 }
 
+#ifdef HAVE_KEYLOG_CALLBACK
+void SSL_callback_add_keylog(SSL_CTX *ctx)
+{
+    if (key_log_file) {
+        SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
+    }
+}
+#endif
+
 /* Hand out the same DH structure though once generated as we leak
  * memory otherwise and freeing the structure up after use would be
  * hard to track and in fact is not needed at all as it is safe to
@@ -373,6 +394,13 @@ static apr_status_t ssl_init_cleanup(void *data)
     ERR_remove_thread_state(NULL);
 #endif
 
+#ifdef HAVE_KEYLOG_CALLBACK
+    if (key_log_file) {
+        BIO_free(key_log_file);
+        key_log_file = NULL;
+    }
+#endif
+
     /* Don't call ERR_free_strings here; ERR_load_*_strings only
      * actually load the error strings once per process due to static
      * variable abuse in OpenSSL. */
@@ -846,6 +874,22 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
     sClazz = (*e)->FindClass(e, "java/lang/String");
     stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
 
+#ifdef HAVE_KEYLOG_CALLBACK
+    if (!key_log_file) {
+        char *key_log_file_name = getenv("SSLKEYLOGFILE");
+        if (key_log_file_name) {
+            FILE *file = fopen(key_log_file_name, "a");
+            if (file) {
+                if (setvbuf(file, NULL, _IONBF, 0)) {
+                    fclose(file);
+                } else {
+                    key_log_file = BIO_new_fp(file, BIO_CLOSE);
+                }
+            }
+        }
+    }
+#endif
+
     return (jint)APR_SUCCESS;
 }
 
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 1e82fa2..1d584f7 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -228,6 +228,10 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
         goto init_failed;
     }
 
+#ifdef HAVE_KEYLOG_CALLBACK
+    SSL_callback_add_keylog(ctx);
+#endif
+
     c->protocol = protocol;
     c->mode     = mode;
     c->ctx      = ctx;


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[tomcat-native] 02/02: Add support for TLS key logging when using OpenSSL 1.1.1 or later.

Posted by ma...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git

commit 38f345d1e4529090b94b4ecd6ff6849c5fd06b22
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Jun 21 10:08:04 2019 +0100

    Add support for TLS key logging when using OpenSSL 1.1.1 or later.
    
    If the environment variable SSLKEYLOGFILE is set then the TLS keys will
    be logged to that file.
    Patch provided by John Kelly.
---
 xdocs/miscellaneous/changelog.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
index bd2ea01..66863e2 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -49,6 +49,11 @@
       <bug>63500</bug>: Fix JVM crash on Connector start when a certificate
       revocation file or path is specified for OpenSSL. (markt)
     </fix>
+    <add>
+      Add support for TLS key logging when using OpenSSL 1.1.1 or later. If the
+      environment variable SSLKEYLOGFILE is set then the TLS keys will be logged
+      to that file. Patch provided by John Kelly. (markt)
+    </add>
   </changelog>
 </section>
 <section name="Changes in 1.2.21">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org