You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2019/04/29 14:16:03 UTC
[Bug 63391] New: Provide ability to log key material for session
decryption
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
Bug ID: 63391
Summary: Provide ability to log key material for session
decryption
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: hkario@redhat.com
Target Milestone: ---
GnuTLS and NSS provide native support for SSLKEYLOGFILE[1,2], allowing seamless
support for logging keys necessary to decrypt the TLS session for debugging.
Unfortunately OpenSSL developers decided to expose it using an API[3], not
through environment variable. Given that using RSA key exchange and using
server private key to decrypt a session is no longer possible in TLS 1.3, I'd
like to ask for support of SSLKEYLOGFILE in mod_ssl too.
Using that environment variable name does look like it is becoming a standard:
curl[4] does implement it like that.
1 -
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
2 - https://gnutls.org/manual/html_node/Debugging-and-auditing.html
3 -
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_keylog_callback.html
4 - https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63391] Provide ability to log key material for session
decryption
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
--- Comment #2 from Hubert Kario <hk...@redhat.com> ---
(In reply to Joe Orton from comment #1)
> So the idea would be we use that OpenSSL API unconditionally if
> SSLKEYLOGFILE is set in the environment?
yes, that's how NSS-, GnuTLS- or curl-using application behave
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63391] Provide ability to log key material for session
decryption
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
So the idea would be we use that OpenSSL API unconditionally if SSLKEYLOGFILE
is set in the environment?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63391] Provide ability to log key material for session
decryption
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
Keywords| |FixedInTrunk,
| |PatchAvailable
--- Comment #5 from Ruediger Pluem <rp...@apache.org> ---
It is only merged to trunk, but not backported to 2.4.x yet.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63391] Provide ability to log key material for session
decryption
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
Hubert Kario <hk...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Hubert Kario <hk...@redhat.com> ---
https://github.com/apache/httpd/pull/74 got merged
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63391] Provide ability to log key material for session
decryption
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
--- Comment #3 from Joe Orton <jo...@redhat.com> ---
https://github.com/apache/httpd/pull/74
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63391] Provide ability to log key material for session
decryption
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63391
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #6 from Yann Ylavic <yl...@gmail.com> ---
Backported to 2.4.49.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org