Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] SSL: Added SSLKEYLOGFILE key material to debug logging

J Carter
January 24, 2024 07:18AM
Hello,

Thanks for the feedback.

On Wed, 24 Jan 2024 12:20:59 +0300
Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Sun, Jan 21, 2024 at 10:37:24AM +0000, J Carter wrote:
>
> > # HG changeset patch
> > # User J Carter <jordanc.carter@outlook.com>
> > # Date 1705832811 0
> > # Sun Jan 21 10:26:51 2024 +0000
> > # Node ID b00332a5253eefb53bacc024c72f55876c2eac6e
> > # Parent ee40e2b1d0833b46128a357fbc84c6e23be9be07
> > SSL: Added SSLKEYLOGFILE key material to debug logging.
> >
> > This patch also introduces the debug_keylog error log level flag, which
> > may be used to graunually enable or ommit logging of key material via
> > error level flags (note, it's always enabled when using
> > debug_connection).
> >
> > Each line of key material is output to the error log as separate log
> > message, and is prepended with 'ssl keylog: ' for convenient extraction.
> >
> > The purpose of logging key material is to allow external tools, such as
> > wireshark/tshark, to decrypt captured TLS connections in all situations.
> >
> > Previously, only TLS 1.2 (and below) connections could be decrypted
> > when specific ciphers suites were used, and when the decrypter had
> > access to the acting server's TLS certificates and keys. It was not
> > possible to decrypt TLS 1.3 traffic without generating SSLKEYLOGFILE on
> > peer, or by using other hacks on nginx host (using GDB, or patched ssl
> > libraries).
>
> Thanks for the patch.
>
> Logging session keying material is known to be problematic from
> ethical point of view. As such, I would rather avoid introducing
> relevant functionality in nginx.
>
> [...]
>

Could you expand upon your ethical concerns around logging key
material over say logging / storing to disk request or response content
directly from nginx ?

It'd be good to have clarity for future contributions.


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] SSL: Added SSLKEYLOGFILE key material to debug logging

J Carter 182 January 21, 2024 05:40AM

Re: [PATCH] SSL: Added SSLKEYLOGFILE key material to debug logging

Maxim Dounin 40 January 24, 2024 04:22AM

Re: [PATCH] SSL: Added SSLKEYLOGFILE key material to debug logging

Stephen Farrell 36 January 24, 2024 05:52AM

Re: [PATCH] SSL: Added SSLKEYLOGFILE key material to debug logging

J Carter 47 January 24, 2024 07:18AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 212
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready