[openssl-dev] SSLKEYLOGFILE Support
Cory Benfield
cory at lukasa.co.uk
Wed Sep 28 11:51:59 UTC 2016
> On 28 Sep 2016, at 11:11, Cory Benfield <cory at lukasa.co.uk> wrote:
>
> So what do the OpenSSL developers think? Do we need the compile flag, or is some lower bar sufficient?
It was brought to my attention that BoringSSL takes an alternative approach to this problem: they allow users to register a callback for key logging purposes[0]. Essentially, this allows application developers to opt-in to generating a key log file in whatever manner they see fit, whether that be by setting SSLKEYLOGFILE in the environment or some other configuration option.
This approach seems like it is likely to be the most generally appealing approach: for anyone who desperately wants SSLKEYLOGFILE behaviour they can code it in at their own application level with very little difficulty, while anyone who is more concerned about environment variables can choose other methods of configuration. Applications can opt out entirely by simply never calling the set callback function, or by calling it for all new contexts with an explicit NULL pointer, and it allows a single libssl shared object to have multiple key logging behaviours for different aspects of the same application.
This approach would definitely work for my use-cases: if everyone in the OpenSSL team is happy with it, I’d be happy to write up and submit a patch for it.
Cory
[0]: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_keylog_callback <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_keylog_callback>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160928/c4c0dbdc/attachment.html>
More information about the openssl-dev
mailing list