Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25297)
Build with support for the SSLKEYLOGFILE environment variable
When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged
-during a TLS handshake for use in analysis tools like wireshark.
+during a TLS handshake for use in analysis tools like wireshark. Note that the
+use of this mechanism allows for decryption of application payloads found in
+captured packets using keys from the key log file. See Section 3 of
+[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-thomson-tls-keylogfile/)
### no-ts
set this variable to a filename to log all secrets produced by SSL connections.
Note, use of the environment variable is predicated on configuring OpenSSL at
build time with the enable-sslkeylog feature. The file format standard can be
-found at L<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>
+found at L<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>.
+Note: the use of B<SSLKEYLOGFILE> poses an explicit security risk. By recording
+the exchanged keys during an SSL session, it allows any available party with
+read access to the file to decrypt application traffic sent over that session.
+Use of this feature should be restricted to test and debug environments only.
=back