diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2018-10-23 18:39:24 +0200 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2018-10-23 19:10:11 +0200 |
| commit | 9fa13901cd459ea71543753a68fbf75c4f35c51e (patch) | |
| tree | e6653f25c71dd679d53255c81404ce14c8ede5f2 /kex-fix | |
| parent | 5a413f9cd4626d14de0326a2ab2156994a069d30 (diff) | |
| download | wireshark-notes-9fa13901cd459ea71543753a68fbf75c4f35c51e.tar.gz | |
sslkeylog.c: support TLS 1.3 and OpenSSL 1.1.1
OpenSSL 1.1.1 adds TLS 1.3 support which uses a new secrets format.
Previously it resulted in garbage keylog files, this has been fixed now.
OpenSSL 1.1.1 also introduces a new API for secrets extraction.
Consumers can use it like this (curl uses this code for example):
static void keylog_callback(const SSL *ssl, const char *line) {
/* write line and terminating '\n' */
}
{
SSL_CTX *ctx;
...
SSL_CTX_set_keylog_callback(ctx, keylog_callback);
SSL *ssl = SSL_new(ctx);
}
In case you cannot change the source code for an application, you can
use sslkeylog.c again. This will basically perform the above step, set
the key log callback before calling SSL_new.
Since the new OpenSSL 1.1.1 API requires no further interception of
SSL_read and other functions, a new NO_OPENSSL_110_SUPPORT macro was to
avoid intercepting these. Additionally, a NO_OPENSSL_102_SUPPORT macro
avoids the need for OpenSSL development headers.
Caveat: when building with OpenSSL <= 1.0.2, libsslkeylog.so will not be
compatible with runtime OpenSSL 1.1.0. OpenSSL 1.1.1 still works though.
Use of SSL_new and interception via SSL_CTX_set_keylog_callback was
initially proposed by Derick Rethans, thanks for the suggestion!
Diffstat (limited to 'kex-fix')
0 files changed, 0 insertions, 0 deletions