Skip to content

Use OpenSSL's keylog callback for SSLKEYLOGFILE (#3994) #4298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mhils merged 3 commits into from
Nov 27, 2020
Merged

Use OpenSSL's keylog callback for SSLKEYLOGFILE (#3994) #4298

mhils merged 3 commits into from
Nov 27, 2020

Conversation

@mhils
Copy link
Member

@mhils mhils commented Nov 19, 2020

This PR fixes #3994, but requires a new pyOpenSSL release to be shipped first. Putting this here because I depend on it for sans-io debugging.

@mhils mhils added the upstream label Nov 19, 2020
@mhils mhils marked this pull request as draft November 19, 2020 13:42
@mhils mhils marked this pull request as ready for review November 27, 2020 22:07
Kriechi
Kriechi reviewed Nov 27, 2020
View reviewed changes
Kriechi
Kriechi reviewed Nov 27, 2020
View reviewed changes
test/mitmproxy/net/test_tls.py
tls.log_master_secret.close()
with open(logfile, "rb") as f:
assert f.read().count(b"CLIENT_RANDOM") >= 2
assert f.read().count(b"SERVER_HANDSHAKE_TRAFFIC_SECRET") >= 2
Copy link
Member

@Kriechi Kriechi Nov 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean the content changed with the new pyopenssl version?
Is Wireshark already compatible with this new format?

Copy link
Member Author

@mhils mhils Nov 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It definitely changed for TLS 1.3, not sure what we'd get for older versions. It doesn't really matter though, the point of the new API is just that: here are some opaque bytes you should save as-is in your keylog file.

And yes, works fine with WireShark, I used this extensively for sans-io :-)

@mhils mhils merged commit de485ba into mitmproxy:master Nov 27, 2020
@mhils mhils deleted the keylog branch November 27, 2020 23:35
syhe pushed a commit to syhe/macports-ports that referenced this pull request May 10, 2021
py-openssl: update to 20.0.1
d26050b 
mitmproxy requires pyOpenSSL>=20.0 since v6.0.0

refs mitmproxy/mitmproxy#4298
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kriechi Kriechi Kriechi left review comments

Assignees

No one assigned

Labels

upstream

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSLKEYLOGFILE is not containing TLSv1.3 secrets

2 participants

@mhils @Kriechi