New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSLKEYLOGFILE
environment variable
#797
base: main
Are you sure you want to change the base?
Conversation
src/aiortc/rtcdtlstransport.py
Outdated
# Log TLS secrets to a file, similar to browsers | ||
SSLKEYLOGFILE = os.getenv('SSLKEYLOGFILE') | ||
if SSLKEYLOGFILE: | ||
logger.warning('Logging all TLS keys to %s', SSLKEYLOGFILE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we emitting a warning here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because logging all encryption keys is something you probably don't want by default, so I thought it might be a good idea to log a warning if it is enabled.
I'm not sure I understand this comment. Is the produced log file usable in Wireshark or not? |
Yes, the log file is perfectly usable; Wireshark just was unable to decode the protocol stack |
Please note that #813 is going to clash with this, is it possible to enable this logging using PyOpenSSL's API? EDIT: apparently yes it's possible https://www.pyopenssl.org/en/latest/api/ssl.html#OpenSSL.SSL.Context.set_keylog_callback |
ah, perfect, you already found it |
PR #813 has been merged if you'd care to rework your pr on top of |
I'll do it tomorrow 👍 |
Sure take your time, I'm not in a position to ask for immediate turnarounds ATM :) Thanks again for your PR for the SCTP stack, the issue it fixed had been outstanding for a while. |
4c8fa26
to
f3c1910
Compare
Rebased ✅ |
f3c1910
to
cb35e9b
Compare
This allows using eg. Wireshark to debug the encrypted connection
cb35e9b
to
8c1b0ca
Compare
ok; linter is happy now |
I'm a bit spooked by the fact coverage has not changed, who is setting the environment variable in CI? EDIT: looking at the logs it looks as though the coverage report could not be uploaded. |
This allows using eg. Wireshark to debug the encrypted connection
This environment variable apparently is pretty standard in many ssl / tls scenarios such as browsers.
It gives a path to a file, eg.
tls.keylog
, where all encryption keys are logged.The resulting file can be plugged into the TLS module of Wireshark which then allows it to decrypt the packages it captured.
Please note that Wireshark needs additional tweaks to recognize DTLS & SCTP inside