Shall nats provides a flag for a writer in tls.Config to get the TLS secret for debugging?

[xieyuschen]

Feature Request

Currently, nats only provides flags to specify the cert key and so on and init in the function func overrideTLS(opts *Options) error:

    tc := TLSConfigOpts{}
    tc.CertFile = opts.TLSCert
    tc.KeyFile = opts.TLSKey
    tc.CaFile = opts.TLSCaCert
    tc.Verify = opts.TLSVerify
    tc.Ciphers = defaultCipherSuites()

However, nats doesn't provide any way to get the keys during the TLS handshake and it also doesn't provide a way to pass a tls.Config struct.

So for debugging(especially for QUIC development), I think it is necessary to add a new flag to enable output key log. Note that it should enable only in debug mode.

Use Case:

nats-server -sslkeylog "log file name" etc...

From this way, we could get the key log with the format:

CLIENT_HANDSHAKE_TRAFFIC_SECRET 4a91b2801514....blabla
SERVER_HANDSHAKE_TRAFFIC_SECRET 4a91b280151....blabla
CLIENT_TRAFFIC_SECRET_0 4a91b28015147bb400e48....blabla
SERVER_TRAFFIC_SECRET_0 4a91b28015147bb400e48....blabla

Here also provides a way to get the log and let wireshark decrypts the packets.

Proposed Change:

Add a new flag in function func ConfigureOptions(fs *flag.FlagSet, args []string, printVersion, printHelp, printTLSHelp func()) (*Options, error).

Who Benefits From The Change(s)?

Developers who are developing the QUIC can use wireshark to capture the packets and this new feature helps wireshark to decrypt the encryted packets.

[xieyuschen]

@derekcollison If nats-server has such plan, I am interested to add this feature. Thanks.

[derekcollison]

We don't at this time, but looped in @philpennock

[xieyuschen]

Get it. Thanks @philpennock @derekcollison

[derekcollison]

You submitted a PR yes?

[xieyuschen]

You submitted a PR yes?

Submitted a draft PR.