From: Jay Satiro Date: Fri, 17 May 2024 04:07:21 +0000 (-0400) Subject: openssl: revert keylog_callback support for LibreSSL X-Git-Tag: curl-8_8_0~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9aae9bf81705162756cf209df178c59e55556ec4;p=thirdparty%2Fcurl.git openssl: revert keylog_callback support for LibreSSL - Revert to the legacy TLS 1.2 key logging code for LibreSSL. - Document SSLKEYLOGFILE for LibreSSL is TLS 1.2 max. Prior to this change if the user specified a filename in the SSLKEYLOGFILE environment variable and was using LibreSSL 3.5.0+ then an empty file would be created and no keys would be logged. This is effectively a revert of e43474b4 which changed openssl.c to use SSL_CTX_set_keylog_callback for LibreSSL 3.5.0+. Unfortunately LibreSSL added that function only as a stub that doesn't actually do anything. Reported-by: Gonçalo Carvalho Fixes https://github.com/curl/curl/issues/13672 Closes https://github.com/curl/curl/pull/13682 --- diff --git a/docs/cmdline-opts/_ENVIRONMENT.md b/docs/cmdline-opts/_ENVIRONMENT.md index af60ac8d0b..1d40b87b85 100644 --- a/docs/cmdline-opts/_ENVIRONMENT.md +++ b/docs/cmdline-opts/_ENVIRONMENT.md @@ -101,8 +101,8 @@ if Schannel is used as the TLS backend. If you set this environment variable to a filename, curl stores TLS secrets from its connections in that file when invoked to enable you to analyze the TLS traffic in real time using network analyzing tools such as Wireshark. This -works with the following TLS backends: OpenSSL, libressl, BoringSSL, GnuTLS -and wolfSSL. +works with the following TLS backends: OpenSSL, LibreSSL (TLS 1.2 max), +BoringSSL, GnuTLS and wolfSSL. ## `USERPROFILE` On Windows, this variable is used when trying to find the home directory. If diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1c66491a32..298a488a09 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -204,12 +204,10 @@ * Whether SSL_CTX_set_keylog_callback is available. * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287 * BoringSSL: supported since d28f59c27bac (committed 2015-11-19) - * LibreSSL: supported since 3.5.0 (released 2022-02-24) + * LibreSSL: not supported. 3.5.0+ has a stub function that does nothing. */ #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ !defined(LIBRESSL_VERSION_NUMBER)) || \ - (defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || \ defined(OPENSSL_IS_BORINGSSL) #define HAVE_KEYLOG_CALLBACK #endif