]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a088d3d) | patch
MINOR: SSL: add client/server random sample fetches
authorPatrick Hemmer <haproxy@stormcloud9.net>
Tue, 4 Jun 2019 12:13:03 +0000 (08:13 -0400)
committerWilly Tarreau <w@1wt.eu>
Wed, 5 Jun 2019 08:07:44 +0000 (10:07 +0200)
commit65674662b4b950c7f5fb7572859b98ef8c9a8767
tree82370f05b14ded02d572a16624c4f1dfb88a60fbtree
parenta088d3dea90d1c9362aacd4171cc9a194643b076commit | diff
MINOR: SSL: add client/server random sample fetches

This adds 4 sample fetches:
- ssl_fc_client_random
- ssl_fc_server_random
- ssl_bc_client_random
- ssl_bc_server_random

These fetches retrieve the client or server random value sent during the
handshake.

Their use is to be able to decrypt traffic sent using ephemeral ciphers. Tools
like wireshark expect a TLS log file with lines in a few known formats
(https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209).
Previously the only format supported using data retrievable from HAProxy state
was the one utilizing the Session-ID. However an SSL/TLS session ID is
optional, and thus cannot be relied upon for this purpose.

This change introduces the ability to extract the client random instead which
can be used for one of the other formats. The change also adds the ability to
extract the server random, just in case it might have some other use, as the
code change to support this was trivial.
doc/configuration.txt diff | blob | blame | history
src/ssl_sock.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git