Add support for logging TLS 1.3 exporter secret#5702
Add support for logging TLS 1.3 exporter secret#5702Lekensteyn wants to merge 4 commits intoopenssl:masterfrom
Conversation
|
The OpenSSL team will have to decide that this is a bugfix. I hope we/they do. |
|
We have already passed the feature freeze date for the 1.1.1 release. I don't think we can classify this as a bug fix although I agree it would be very useful. I see no problem including it in a post-1.1.1 release. The team as a whole would have to agree that there is sufficient justification for this to include it in 1.1.1. |
mattcaswell
added
issue: feature request
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
Approved (needs second review) - but we can't push this now due to the feature freeze
mattcaswell
added
the
approval: review pending
|
Will you hold a vote or should I? |
Go for it. |
|
Thanks for your feedback, I have two more patches (one just extends the test suite to check for "client early traffic secret" support, another adds early "exporter secret" support + test updates). They are based off this one (in the sense that it touches the context). Should I push to this branch or create another PR? Also, it it OK to rebase this branch on master and force-push it (to silence ASAN)? And for some reason 1/4 appveyor build failed, due to random fuzzing or not? |
I would do it all in this PR. We're going to need to vote for this to go in since we're past feature freeze. Let's vote just once instead of multiple times.
Yes, that's ok. |
Lekensteyn
force-pushed
the
tls13-keylog-exporter-secret-only
branch
from
e0576d8 to
0ace667
Compare
|
Rebased + added more tests + added early exporter secret. It's not an API change, so hopefully it can be exempted from the freeze (but it is up to you) :-) On a side note, |
| || !TEST_true(SSL_CTX_set_max_early_data(sctx, | ||
| SSL3_RT_MAX_PLAIN_LENGTH)) | ||
| || !TEST_true(SSL_CTX_set_max_early_data(cctx, | ||
| SSL3_RT_MAX_PLAIN_LENGTH))) |
There was a problem hiding this comment.
It isn't necessary to set max early data on the client side. This is a server side setting.
There was a problem hiding this comment.
If that is the case, then it should be removed from setupearly_data_test as well?
There was a problem hiding this comment.
Yes it should. Feel free to do that here, or leave it to another PR.
|
The reformat script is really not useful except as a first pass. |
|
Found another unnecessary (but harmless) call in the tests, so removed that as well. |
richsalz
left a comment
richsalz
left a comment
There was a problem hiding this comment.
Now we just need to have the vote :)
richsalz
added
approval: done
|
Placed on hold pending the vote |
richsalz
added
branch: master
|
We changed the policy so that 1.3-related features can go in after the beta freeze, if three OMC members approve. We need one more @openssl/omc approval. |
|
Hi, would it be possible to get an exemption for this patch? TLS 1.3 (and its related exporter feature) are the selling points of OpenSSL 1.1.1, but the lack of this debug feature makes it harder for IETF QUIC developers to check their implementations (powered by OpenSSL) using Wireshark. (I just (re)discovered lack of this feature while testing with master openssl) |
|
Yes, we decided that TLS 1.3 features can go in during BETA. I had missed that it was reviewed, will merge now. |
|
Can you rebase? |
NSS 3.34 and boringssl have support for "EXPORTER_SECRET" (https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed for QUIC 1-RTT decryption support in Wireshark.
This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.
Client can only send early data if the PSK allows for it, the max_early_data_size field can only be configured for the server side.
Lekensteyn
force-pushed
the
tls13-keylog-exporter-secret-only
branch
from
7c7fd67 to
6d699c2
Compare
|
Thanks for your reply. I just pushed the result of a trivial rebase, there were no conflicts and based on this diff, no further changes seemed necessary: |
|
@richsalz as per the vote we need 3 OMC members to sign off on this. At the moment we have 2. Ping @openssl/omc. |
|
Pushed! Thanks. |
NSS 3.34 and boringssl have support for "EXPORTER_SECRET" (https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed for QUIC 1-RTT decryption support in Wireshark. Reviewed-by: Rich Salz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #5702)
Reviewed-by: Rich Salz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #5702)
This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data. Reviewed-by: Rich Salz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #5702)
Client can only send early data if the PSK allows for it, the max_early_data_size field can only be configured for the server side. Reviewed-by: Rich Salz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #5702)
4 participants
NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.
Tests are updated as well. For a user, see ngtcp2/ngtcp2#67
If you are open for this, I could create another PR for EARLY_EXPORTER_SECRET which is already supported by NSS 3.35. That would be needed for QUIC 0-RTT decryption support. (Adjusting tests for this is not as straightforward as this PR though since it requires the keylog test to be invoked with early data.)
In theory Wireshark could also be modified to use the derived exporter secrets (
TLS-Exporter("EXPORTER-QUIC 1rtt", "", Hash.length)), but since (1) NSS and boringssl already write this secret and (2) the TLS key log file is already a familiar mechanism in Wireshark, I think it is worth to add it to OpenSSL as well. Thoughts?Ping @tatsuhiro-t