diff --git a/INSTALL.md b/INSTALL.md index ae47e4d269..0f686532d3 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1085,8 +1085,9 @@ Build with support for the SSLKEYLOGFILE environment variable When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged during a TLS handshake for use in analysis tools like wireshark. Note that the use of this mechanism allows for decryption of application payloads found in -captured packets using keys from the key log file. See Section 3 of -[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/) +captured packets using keys from the key log file and therefore has significant +security consequences. See Section 3 of +[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/) ### no-ts diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ba4d690468..b94fc77e29 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3904,7 +3904,7 @@ static long check_keylog_bio_free(BIO *b, int oper, const char *argp, /** * @brief records ssl secrets to a file */ -static void sslkeylogfile_cb(const SSL *ssl, const char *line) +static void do_sslkeylogfile(const SSL *ssl, const char *line) { if (keylog_lock == NULL) return; @@ -4202,7 +4202,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto out; } - /* Grab out global lock */ + /* Grab our global lock */ if (!CRYPTO_THREAD_write_lock(keylog_lock)) { OSSL_TRACE(TLS, "Unable to acquire keylog write lock\n"); goto out; @@ -6909,7 +6909,7 @@ static int nss_keylog_int(const char *prefix, #ifndef OPENSSL_NO_SSLKEYLOG if (sctx->do_sslkeylog == 1) - sslkeylogfile_cb(SSL_CONNECTION_GET_SSL(sc), (const char *)out); + do_sslkeylogfile(SSL_CONNECTION_GET_SSL(sc), (const char *)out); #endif if (sctx->keylog_callback != NULL) sctx->keylog_callback(SSL_CONNECTION_GET_SSL(sc), (const char *)out); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 06d78dd635..eaf9fbd68e 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1100,10 +1100,7 @@ struct ssl_ctx_st { SSL_CTX_keylog_cb_func keylog_callback; /* - * Private callback for internal key logging based on SSLKEYLOG env - * We don't want to create a chaining mechanism as we're never sure - * if the application wants to set an additional callback or override - * the one set via SSLKEYLOGFILE, so we just keep them separate + * Private flag for internal key logging based on SSLKEYLOG env */ # ifndef OPENSSL_NO_SSLKEYLOG uint32_t do_sslkeylog; diff --git a/test/recipes/70-test_sslkeylogfile.t b/test/recipes/70-test_sslkeylogfile.t index 6261740e90..acff862229 100644 --- a/test/recipes/70-test_sslkeylogfile.t +++ b/test/recipes/70-test_sslkeylogfile.t @@ -36,8 +36,9 @@ my @s_server_cmd = ("s_server", "-accept", "0", "-naccept", "1", "-cert", $server_pem, "-key", $server_key); my $s_server_pid = open3(my $s_server_i, my $s_server_o, my $s_server_e, $shlib_wrap, $apps_openssl, @s_server_cmd); -# ACCEPT 0.0.0.0:45921 -# ACCEPT [::]:45921 +# expected outputs from the server +# ACCEPT 0.0.0.0: +# ACCEPT [::]: my $port = "0"; # Figure out what port its listening on while (<$s_server_o>) {