What's the rationale behind ssl-trace not being built by default?
Hubert Kario
hkario at redhat.com
Tue Jun 8 11:48:47 UTC 2021
On Monday, 7 June 2021 21:01:04 CEST, Arran Cudbard-Bell wrote:
> The tables to convert extension IDs and compression methods to
> humanly readable names are not available outside ssl/t1_trace.c.
>
> SSL_trace() itself produces reams of helpful information as
> handshakes progress, and is particularly useful for dealing with
> encrypted handshakes, where wireshark et al don't provide useful
> output.
Note that many tools are able to produce a keyfile that wireshark can use
to decrypt the encrypted parts of handshake and exchanged data too.
Look for SSLKEYLOGFILE in https://wiki.wireshark.org/TLS
It's supported in clients like Firefox and curl, as well as in servers,
like httpd: https://github.com/apache/httpd/pull/74
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
More information about the openssl-users
mailing list