You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2021/09/08 06:55:41 UTC
svn commit: r1893099 - in /httpd/httpd/branches/2.4.x: ./ STATUS
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Author: rpluem
Date: Wed Sep 8 06:55:40 2021
New Revision: 1893099
URL: http://svn.apache.org/viewvc?rev=1893099&view=rev
Log:
Merge r1869842 from trunk:
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
PR: 63391
Github: closes #74
Submitted by: jorton
Reviewed by: rpluem, ylavic, jorton
Github: closes #264
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1869842
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1893099&r1=1893098&r2=1893099&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed Sep 8 06:55:40 2021
@@ -141,15 +141,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: Support logging private key material for use with
- wireshark via log file given by SSLKEYLOGFILE environment
- variable. Requires OpenSSL 1.1.1. PR 63391.
- Trunk version of patch:
- https://svn.apache.org/r1869842
- Backport version for 2.4.x of patch:
- https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/264.diff
- +1: rpluem, ylavic, jorton
-
*) core: scoreboard.c method check
trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1878092
2.4.x patch: svn merge -c 1878092 ^/httpd/httpd/trunk .
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1893099&r1=1893098&r2=1893099&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Wed Sep 8 06:55:40 2021
@@ -75,6 +75,10 @@ SSLModConfigRec *ssl_config_global_creat
mc->stapling_refresh_mutex = NULL;
#endif
+#ifdef HAVE_OPENSSL_KEYLOG
+ mc->keylog_file = NULL;
+#endif
+
apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
apr_pool_cleanup_null,
pool);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1893099&r1=1893098&r2=1893099&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Wed Sep 8 06:55:40 2021
@@ -445,6 +445,28 @@ apr_status_t ssl_init_Module(apr_pool_t
init_bio_methods();
#endif
+#ifdef HAVE_OPENSSL_KEYLOG
+ {
+ const char *logfn = getenv("SSLKEYLOGFILE");
+
+ if (logfn) {
+ rv = apr_file_open(&mc->keylog_file, logfn,
+ APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
+ APR_FPROT_UREAD|APR_FPROT_UWRITE,
+ mc->pPool);
+ if (rv) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
+ "Could not open log file '%s' configured via SSLKEYLOGFILE",
+ logfn);
+ return rv;
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
+ "Init: Logging SSL private key material to %s", logfn);
+ }
+ }
+#endif
+
return OK;
}
@@ -806,6 +828,12 @@ static apr_status_t ssl_init_ctx_protoco
* https://github.com/openssl/openssl/issues/7178 */
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
#endif
+
+#ifdef HAVE_OPENSSL_KEYLOG
+ if (mctx->sc->mc->keylog_file) {
+ SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
+ }
+#endif
return APR_SUCCESS;
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1893099&r1=1893098&r2=1893099&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Wed Sep 8 06:55:40 2021
@@ -2822,3 +2822,17 @@ int ssl_callback_SRPServerParams(SSL *ss
}
#endif /* HAVE_SRP */
+
+
+#ifdef HAVE_OPENSSL_KEYLOG
+/* Callback used with SSL_CTX_set_keylog_callback. */
+void modssl_callback_keylog(const SSL *ssl, const char *line)
+{
+ conn_rec *conn = SSL_get_app_data(ssl);
+ SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
+
+ if (sc && sc->mc->keylog_file) {
+ apr_file_printf(sc->mc->keylog_file, "%s\n", line);
+ }
+}
+#endif
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1893099&r1=1893098&r2=1893099&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Wed Sep 8 06:55:40 2021
@@ -252,6 +252,10 @@ void free_bio_methods(void);
#endif
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define HAVE_OPENSSL_KEYLOG
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -620,6 +624,10 @@ typedef struct {
apr_global_mutex_t *stapling_cache_mutex;
apr_global_mutex_t *stapling_refresh_mutex;
#endif
+#ifdef HAVE_OPENSSL_KEYLOG
+ /* Used for logging if SSLKEYLOGFILE is set at startup. */
+ apr_file_t *keylog_file;
+#endif
} SSLModConfigRec;
/** Structure representing configured filenames for certs and keys for
@@ -979,6 +987,11 @@ int ssl_stapling_init_cert(serv
int ssl_callback_SRPServerParams(SSL *, int *, void *);
#endif
+#ifdef HAVE_OPENSSL_KEYLOG
+/* Callback used with SSL_CTX_set_keylog_callback. */
+void modssl_callback_keylog(const SSL *ssl, const char *line);
+#endif
+
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void ssl_io_filter_register(apr_pool_t *);