search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
25.02k stars 4.82k forks source link

Support SSL keylog with QUIC #35339

Open bkeshari opened 3 months ago

bkeshari commented 3 months ago

Support SSL keylog with QUIC

Currently, although the 'key_log' configuration is accepted without any errors or warnings, it doesn't work as expected with QUIC. Only the file gets generated but without any content. This functionality would be very useful for troubleshooting and understanding behaviours/issues.

Example configuration:

- transport_socket:
       name: envoy.transport_sockets.quic
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport
          downstream_tls_context:
            common_tls_context:
              tls_certificates:
              - certificate_chain:
                  filename: ./certs/servercert.pem
                private_key:
                  filename: ./certs/serverkey.pem
              key_log:
                path: ./key_log_file

After discussing with Greg Greenway, this seems to be a known limitation in TLS context config with quic transport sockets ( #25418 ).

ggreenway commented 3 months ago

This requires QUICHE to expose an API for enabling keylogging to implement properly. The underlying BoringSSL functionality exists and works, but a QUICHE API is needed so that the keylog callback can have context for keylogging configuration (which file to log to, filtering, etc).

yanavlasov commented 3 months ago

@danzh2010 for more comments

danzh2010 commented 3 months ago

Thanks for reporting this issue! Yes, it's a missing piece in H3 stack. @bkeshari is it blocking your work? So far, we haven't needed boringSSL key log for debugging SSL issue, but it's not too complicated to add a QUICHE API for that.

bkeshari commented 3 months ago

Hi @danzh2010, yes its blocking. Thanks for the response/info.

danzh2010 commented 3 months ago

Hi @danzh2010, yes its blocking. Thanks for the response/info.

Are you debugging into QUIC handshake failure? QUICHE already put a bunch of boring SSL handshake details into connection close frame. Would those be sufficient?

ggreenway commented 3 months ago

QUICHE already put a bunch of boring SSL handshake details into connection close frame. Would those be sufficient?

Regardless of whether we implement keylogging now, can you provide details about this? It sounds very useful.

danzh2010 commented 3 months ago

CONNECTION_CLOSE frame has a reason phrase block which QUICHE populates handshake failure details: https://www.rfc-editor.org/rfc/rfc9000.html#frame-connection-close. A peer can infer handshake issue from that.

If you can access envoy logs, you can enable QUICHE verbose logs via an environment var ENVOY_QUICHE_VERBOSITY.

ggreenway commented 3 months ago

CONNECTION_CLOSE frame has a reason phrase block which QUICHE populates handshake failure details: https://www.rfc-editor.org/rfc/rfc9000.html#frame-connection-close. A peer can infer handshake issue from that.

If you can access envoy logs, you can enable QUICHE verbose logs via an environment var ENVOY_QUICHE_VERBOSITY.

Thanks!