mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the

environment, using the standard format which can be parsed by (e.g.) wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1. * modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if SSLKEYLOGFILE is set in the environment. (ssl_init_ctx_protocol): Register the keylog callback with OpenSSL. * modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog): New function. PR: 63391 Github: closes #74 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869842 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2019-11-15 09:46:30 +00:00
parent d6fb0ed357
commit abe9502d3b
6 changed files with 65 additions and 2 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -440,6 +440,28 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    init_bio_methods();
 #endif

+#ifdef HAVE_OPENSSL_KEYLOG
+    {
+        const char *logfn = getenv("SSLKEYLOGFILE");
+
+        if (logfn) {
+            rv = apr_file_open(&mc->keylog_file, logfn,
+                               APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
+                               APR_FPROT_UREAD|APR_FPROT_UWRITE,
+                               mc->pPool);
+            if (rv) {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
+                             "Could not open log file '%s' configured via SSLKEYLOGFILE",
+                             logfn);
+                return rv;
+            }
+
+            ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
+                         "Init: Logging SSL private key material to %s", logfn);
+        }
+    }
+#endif
+    
    return OK;
 }

@@ -826,6 +848,12 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
     * https://github.com/openssl/openssl/issues/7178 */
    SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
 #endif
+
+#ifdef HAVE_OPENSSL_KEYLOG
+    if (mctx->sc->mc->keylog_file) {
+        SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
+    }
+#endif
    
    return APR_SUCCESS;
 }