Support SSLKEYLOGFILE environment variable
#797
Conversation
src/aiortc/rtcdtlstransport.py
Outdated
| # Log TLS secrets to a file, similar to browsers | ||
| SSLKEYLOGFILE = os.getenv('SSLKEYLOGFILE') | ||
| if SSLKEYLOGFILE: | ||
| logger.warning('Logging all TLS keys to %s', SSLKEYLOGFILE) |
There was a problem hiding this comment.
Why are we emitting a warning here?
There was a problem hiding this comment.
Because logging all encryption keys is something you probably don't want by default, so I thought it might be a good idea to log a warning if it is enabled.
jlaine
added
the
changes requested
I'm not sure I understand this comment. Is the produced log file usable in Wireshark or not? |
|
Yes, the log file is perfectly usable; Wireshark just was unable to decode the protocol stack |
|
Please note that #813 is going to clash with this, is it possible to enable this logging using PyOpenSSL's API? EDIT: apparently yes it's possible https://www.pyopenssl.org/en/latest/api/ssl.html#OpenSSL.SSL.Context.set_keylog_callback |
|
ah, perfect, you already found it |
|
PR #813 has been merged if you'd care to rework your pr on top of |
|
I'll do it tomorrow 👍 |
Sure take your time, I'm not in a position to ask for immediate turnarounds ATM :) Thanks again for your PR for the SCTP stack, the issue it fixed had been outstanding for a while. |
DerGenaue
force-pushed
the
sslkeylogfile
branch
from
4c8fa26
to
f3c1910
Compare
|
Rebased ✅ |
DerGenaue
force-pushed
the
sslkeylogfile
branch
from
f3c1910
to
cb35e9b
Compare
This allows using eg. Wireshark to debug the encrypted connection
DerGenaue
force-pushed
the
sslkeylogfile
branch
from
cb35e9b
to
8c1b0ca
Compare
|
ok; linter is happy now |
|
I'm a bit spooked by the fact coverage has not changed, who is setting the environment variable in CI? EDIT: looking at the logs it looks as though the coverage report could not be uploaded. |
This allows using eg. Wireshark to debug the encrypted connection
This environment variable apparently is pretty standard in many ssl / tls scenarios such as browsers.
It gives a path to a file, eg.
tls.keylog, where all encryption keys are logged.The resulting file can be plugged into the TLS module of Wireshark which then allows it to decrypt the packages it captured.
Please note that Wireshark needs additional tweaks to recognize DTLS & SCTP inside