mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the

author Joe Orton <jorton@apache.org>

Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)

committer Joe Orton <jorton@apache.org>

Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)
author Joe Orton <jorton@apache.org>
Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)
committer Joe Orton <jorton@apache.org>
Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)
diff --git a/CHANGES b/CHANGES

index f8a54e9f0e8d43dec3ac35a2ec5af6a58ae6e93a..c1122358390a20153349586acce649bc0b1a854a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.1
-   
+
+  *) mod_ssl: Support logging private key material for use with
+     wireshark via log file given by SSLKEYLOGFILE environment
+     variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]
+
    *) mod_proxy: Improve tunneling loop to support half closed connections and
       pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
  
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number

index 7705262be1eb7752a0e8a6eb5c91ab625dfe04b6..874d655b9d5e52b318ca1085939842ea62c15ff6 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10226
+10228
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c

index 0e3dd001970077adbe57be2a895a2682500438bb..c92d77f7c0ace1bf2dffc2ff715986469b48ff66 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -79,6 +79,10 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
      mc->stapling_refresh_mutex = NULL;
  #endif
  
+#ifdef HAVE_OPENSSL_KEYLOG
+    mc->keylog_file = NULL;
+#endif
+
      apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
                            apr_pool_cleanup_null,
                            pool);
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 8d986519116e3be1e25a21cd28bf68ff736a1139..b79cb229a6b138f40c81156ea3ca2a5ad405a23e 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -440,6 +440,28 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
      init_bio_methods();
  #endif
  
+#ifdef HAVE_OPENSSL_KEYLOG
+    {
+        const char *logfn = getenv("SSLKEYLOGFILE");
+
+        if (logfn) {
+            rv = apr_file_open(&mc->keylog_file, logfn,
+                               APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
+                               APR_FPROT_UREAD|APR_FPROT_UWRITE,
+                               mc->pPool);
+            if (rv) {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
+                             "Could not open log file '%s' configured via SSLKEYLOGFILE",
+                             logfn);
+                return rv;
+            }
+
+            ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
+                         "Init: Logging SSL private key material to %s", logfn);
+        }
+    }
+#endif
+    
      return OK;
  }
  
@@ -826,6 +848,12 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
       * https://github.com/openssl/openssl/issues/7178 */
      SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
  #endif
+
+#ifdef HAVE_OPENSSL_KEYLOG
+    if (mctx->sc->mc->keylog_file) {
+        SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
+    }
+#endif
      
      return APR_SUCCESS;
  }
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index 0d17ec69391b692f41e950d1c7ccf2bac9f7e44c..758cc09bb69e5e6494077ad445a86cd13a60957d 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2803,3 +2803,17 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
  }
  
  #endif /* HAVE_SRP */
+
+
+#ifdef HAVE_OPENSSL_KEYLOG
+/* Callback used with SSL_CTX_set_keylog_callback. */
+void modssl_callback_keylog(const SSL *ssl, const char *line)
+{
+    conn_rec *conn = SSL_get_app_data(ssl);
+    SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
+
+    if (sc && sc->mc->keylog_file) {
+        apr_file_printf(sc->mc->keylog_file, "%s\n", line);
+    }
+}
+#endif
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index c915a1e399244ee78e03d7d68c9fcc7ee4de5785..c415976fad05453e27b0f3e7664ef0b6172696d8 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -250,6 +250,10 @@ void free_bio_methods(void);
  #endif
  #endif
  
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define HAVE_OPENSSL_KEYLOG
+#endif
+
  /* mod_ssl headers */
  #include "ssl_util_ssl.h"
  
@@ -603,6 +607,10 @@ typedef struct {
      apr_global_mutex_t   *stapling_refresh_mutex;
  #endif
  
+#ifdef HAVE_OPENSSL_KEYLOG
+    /* Used for logging if SSLKEYLOGFILE is set at startup. */
+    apr_file_t      *keylog_file;
+#endif
  } SSLModConfigRec;
  
  /** Structure representing configured filenames for certs and keys for
@@ -963,6 +971,11 @@ int          ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
  int          ssl_callback_SRPServerParams(SSL *, int *, void *);
  #endif
  
+#ifdef HAVE_OPENSSL_KEYLOG
+/* Callback used with SSL_CTX_set_keylog_callback. */
+void         modssl_callback_keylog(const SSL *ssl, const char *line);
+#endif
+
  /**  I/O  */
  void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
  void         ssl_io_filter_register(apr_pool_t *);
author	Joe Orton <jorton@apache.org>
	Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)
committer	Joe Orton <jorton@apache.org>
	Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)
CHANGES		patch \| blob \| blame \| history
docs/log-message-tags/next-number		patch \| blob \| blame \| history
modules/ssl/ssl_engine_config.c		patch \| blob \| blame \| history
modules/ssl/ssl_engine_init.c		patch \| blob \| blame \| history
modules/ssl/ssl_engine_kernel.c		patch \| blob \| blame \| history
modules/ssl/ssl_private.h		patch \| blob \| blame \| history