mamckee
commented
1 week ago I can add this to the existing PR for logging updates. The PR currently exposes this functionality for the provider but not the engine. By default, logging level will be off.
Open achamayou opened 1 week ago
mamckee
commented
1 week ago I can add this to the existing PR for logging updates. The PR currently exposes this functionality for the provider but not the engine. By default, logging level will be off.
achamayou
commented
1 week ago @mamckee changing the default to off would solve our problem, and having this functionality on the provider sounds perfect, thank you! What's the header/call to set the log level on the provider? Do we need to do anything special to make sure the Azure Linux package exposes the header?
mamckee
commented
1 week ago The logging level will be settable from the config (/etc/pki/tls/symcrypt_prov.cnf on AZL3). These values can be set under symcrypt_prov_sect: https://github.com/microsoft/SymCrypt-OpenSSL/blob/8578c5954d0f15b11d4f88a30d2658fb9958ec88/SymCryptProvider/src/p_scossl_base.c#L18C1-L21C39
achamayou
commented
1 week ago @mamckee that's perfect, do you have a sense of when this might land in Azure Linux? If not, would you mind giving us a heads up when it does?
We have found in our testing on Azure Linux 3.0, using SymCrypt-OpenSSL, that failed signature verification produced verbose logging that we do not wish to emit (https://github.com/microsoft/CCF/issues/6593).
Inlined for convenience:
It looks like we could control that with
SCOSSL_set_trace_level(), but the public headers are unfortunately very restricted (https://github.com/microsoft/SymCrypt-OpenSSL/blob/main/SymCryptEngine/inc/e_scossl.h) and do not include it.Could that call be exposed, or the logging level for those messages revised?