Open wlallemand opened 11 months ago
Hi @wlallemand ,
We do support this, but we strongly recommend against using it in production as the SSL key log file allows an attacker to compromise security. We only recommend using this option for debugging. For your use case in haproxy, since you are gating this behind a runtime option, it is safe to enable this at build time in wolfSSL.
Looks like your build is getting stuck on -Wall. Try adding CFLAGS='-Wno-error=cpp'
in front of your ./configure command for wolfSSL, then make clean and make.
I was able to build with this but it's not possible to build wolfSSL with -Werror or without changing the CFLAGS this way unfortunately :/ It would be nice to have this feature within --enable-haproxy directly.
It looks like the SSL_CTX_set_keylog_callback() does not support the TLSv1.3 variables and only dumps the <= TLSv1.2 ones, unlike it is done with OpenSSL. Any chance it will appear in this standard callback instead of having to use wolfSSL_set_tls13_secret_cb() ?
Hi @wlallemand ,
My colleague douzzer is working on resolving your first point in https://github.com/wolfSSL/wolfssl/pull/6861. With this PR, you will be able to build with --enable-keylog-export and not run into an error.
For your second point, I will work on this, we do have some older work that integrated TLS 1.3 keylogging into SSL_CTX_set_keylog_callback but it was not upstreamed.
Thanks, I'm now able to build successfully wolfssl with both --enable-haproxy
and --enable-keylog-export
, can we have the --enable-keylog-export
by default in --enable-haproxy
since that it works correctly? Thanks!
Good to know that you are going to integrated the TLS1.3 support, it will be useful!
Hello, Any update on this?
Hello @wlallemand,
The PR I mentioned in my previous message was merged. wolfSSL now has a TLS 1.3 secret logging callback function built in called SessionSecret_callback_Tls13 which will be automatically enabled if you build wolfSSL with SHOW_SECRETS defined.
I'm confused, this is still not compatible with SSL_CTX_set_keylog_callback() right?
Apologies, you are correct. I will work on fixing this in the near future.
Contact Details
No response
Version
88d25036a005ba
Description
We have a feature in haproxy which allows users to debug by dumping keys with SSL_CTX_set_keylog_callback().
It seems like the support for SSL_CTX_set_keylog_callback() is not recommended in WolfSSL where it is enable by default in other SSL libraries (NSS, Openssl, awslc etc.) Is there any reason for that?
I tried to build this feature for haproxy anyway but I was not able to.
Reproduction steps
$ ./configure --prefix=/opt/wolfssl/ --enable-haproxy --enable-keylog-export
Relevant log output