What's the rationale behind ssl-trace not being built by default?

Hubert Kario hkario at redhat.com
Tue Jun 8 11:48:47 UTC 2021

On Monday, 7 June 2021 21:01:04 CEST, Arran Cudbard-Bell wrote:
> The tables to convert extension IDs and compression methods to 
> humanly readable names are not available outside ssl/t1_trace.c.
> SSL_trace() itself produces reams of helpful information as 
> handshakes progress, and is particularly useful for dealing with 
> encrypted handshakes, where wireshark et al don't provide useful 
> output.

Note that many tools are able to produce a keyfile that wireshark can use
to decrypt the encrypted parts of handshake and exchanged data too.

Look for SSLKEYLOGFILE in https://wiki.wireshark.org/TLS

It's supported in clients like Firefox and curl, as well as in servers,
like httpd: https://github.com/apache/httpd/pull/74

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

More information about the openssl-users mailing list