Skip to content

Comments

feat: support the SSLKEYLOGFILE environment variable for clients#1102

Closed
bgeron wants to merge 1 commit intohyperium:masterfrom
bgeron:sslkeylogfile
Closed

feat: support the SSLKEYLOGFILE environment variable for clients#1102
bgeron wants to merge 1 commit intohyperium:masterfrom
bgeron:sslkeylogfile

Conversation

@bgeron
Copy link

@bgeron bgeron commented Oct 6, 2022

Nothing changes unless SSLKEYLOGFILE is set in the environment.

If SSLKEYLOGFILE is set, then every time the client connnects, it will append a line to the file designated in SSLKEYLOGFILE with the pre-master secret for that connection.

Point a tool like Wireshark to that file, and suddenly it can decode the TLS conversations.

https://wiki.wireshark.org/TLS#using-the-pre-master-secret

https://docs.rs/rustls/0.20.6/rustls/struct.KeyLogFile.html

https://docs.rs/rustls/0.20.6/rustls/trait.KeyLog.html

@bgeron
feat: support the SSLKEYLOGFILE environment variable for clients
a976330 
Nothing changes unless SSLKEYLOGFILE is set in the environment.

If SSLKEYLOGFILE is set, then every time the client connnects, it will
append a line to the file designated in SSLKEYLOGFILE with the pre-master
secret for that connection.

Point a tool like Wireshark to that file, and suddenly it can decode
the TLS conversations.

https://wiki.wireshark.org/TLS#using-the-pre-master-secret

https://docs.rs/rustls/0.20.6/rustls/struct.KeyLogFile.html

https://docs.rs/rustls/0.20.6/rustls/trait.KeyLog.html
@LucioFranco
Copy link
Member

LucioFranco commented Oct 17, 2022

I am leaning to not including this in tonic since its possible to configure this manually via rustls. The support for tls within tonic is quite primitive and will actually be removed in the future. So I recommend moving away from using the transport module in tonic.

@bgeron
Copy link
Author

bgeron commented Oct 17, 2022

Short of implementing a TLS connector myself, I think it's not possible to configure this manually. I can specify the tonic::transport::ClientTlsConfig but not the rustls::ClientConfig.

Alternatively I could make this a boolean flag to go into ClientTlsConfig. I guess that would be better. It could be off by default, like it is in rustls.

But if you want to take TLS out of Tonic, I respect that of course. Thank you for making/maintaining Tonic.

@LucioFranco
Copy link
Member

LucioFranco commented Oct 18, 2022

Yes, I would use the hyper-rustls and make sure to only enable http2 then I think it should work. You can either use a customized incoming impl or you can use hyper directly.

@esemeniuc
Copy link

esemeniuc commented Jun 14, 2023

I would love to have this for local debugging

@tottoto tottoto mentioned this pull request Jan 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bgeron @LucioFranco @esemeniuc