Feature Request: Support dumping session keys in NSS key log format

[Cory Benfield]

Many HTTPS browsers support dumping keys for TLS sessions to a text file to allow analysis tools to decrypt captured TLS sessions. This is an extremely useful debugging tool for working with services that only expose encrypted interfaces. This support exists in Firefox and Chrome: in Firefox’s case using NSS, and in Chrome’s case using their BoringSSL fork of OpenSSL. Both tools dump the keys in the same format, defined here[0].

As a developer of a HTTP(S) library that uses OpenSSL directly for TLS, I would like to support the same ad hoc standard for dumping TLS session keys. However, as far as I’m aware OpenSSL has no support for accessing those keys. It would be extremely helpful if OpenSSL added this support.

A possible starting point for this work would be a series of patches applied by David Benjamin to BoringSSL. The first of these can be found here[1], though the eventual interface for this changed to use a callback, and it would probably be better to mimic that interface than to use the BIO-based one shown in this specific patch.

Is there any interest in adding this support to OpenSSL?

Cory

[0]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
[1]: https://boringssl.googlesource.com/boringssl/+/859ec3cc09f244348f3c919693817acb01064535%5E%21/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mta.openssl.org/pipermail/openssl-bugs-mod/attachments/20151224/111f31fe/attachment.sig>