From 0d0b245d2632a5ff5ab327d62dbe2a4f78e9e564 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Thu, 29 Jan 2015 00:15:43 +0100
Subject: sslkeylog: continue after failed handshake, reject SSLv2

Try to dump as many keys as possible, even if a fatal alert occurred.

Wireshark does not support SSLv2, so check that a successful connection
does not use SSLv2 before dumping keys (this fixes a crash).
---
 src/sslkeylog.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/sslkeylog.c')

diff --git a/src/sslkeylog.c b/src/sslkeylog.c
index 861c314..0d09b5d 100644
--- a/src/sslkeylog.c
+++ b/src/sslkeylog.c
@@ -78,7 +78,10 @@ int SSL_connect(SSL *ssl)
         _SSL_connect = (int (*)(SSL *ssl)) dlsym(RTLD_NEXT, "SSL_connect");
     }
     int ret = _SSL_connect(ssl);
-    if (ret >= 0) {
+    /* SSLv2 is not supported (Wireshark does not support it either). Write the
+     * logfile when the master key is available for SSLv3/TLSv1. */
+    if (ssl->s3 != NULL &&
+        ssl->session != NULL && ssl->session->master_key_length > 0) {
         init_keylog_file();
         if (keylog_file_fd >= 0) {
             dump_to_fd(ssl, keylog_file_fd);
-- 
cgit v1.2.1