Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLKEYLOGFILE not working with curl-for-win build #13672

Closed
jay opened this issue May 16, 2024 Discussed in #13665 · 3 comments
Closed

SSLKEYLOGFILE not working with curl-for-win build #13672

jay opened this issue May 16, 2024 Discussed in #13665 · 3 comments
Labels
TLS Windows Windows-specific

Comments

@jay
Copy link
Member

jay commented May 16, 2024

From discussion #13665 the reporter @glslang is using the official curl for windows build 8.7.1 64-bit and SSLKEYLOGFILE is not working. A blank file is created and nothing is written.

curl 8.7.1 (x86_64-w64-mingw32) libcurl/8.7.1 LibreSSL/3.9.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 WinIDN libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.0 ngtcp2/1.5.0 nghttp3/1.3.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd

I can reproduce with the same build. curl 8.7.1 with OpenSSL then SSLKEYLOGFILE works so I suspect this is an issue with how we coded it for LibreSSL
@jay jay added Windows Windows-specific TLS labels May 16, 2024
@botovq
Copy link

botovq commented May 16, 2024

LibreSSL doesn't really support the keylog mechanism. The API exists since a number of things don't properly test and guard for it, but it is a noop.

@glslang
Copy link

glslang commented May 16, 2024

And I guess the reason to use LibreSSL on Windows is because it makes for easier builds? Or just a preference in general due to possible security considerations?

jay added a commit to jay/curl that referenced this issue May 17, 2024
@jay
openssl: revert keylog_callback support for LibreSSL
e61f11c 
- Revert to the legacy TLS 1.2 key logging code for LibreSSL.

Prior to this change if the user specified a filename in the
SSLKEYLOGFILE environment variable and was using LibreSSL 3.5.0+ then
an empty file would be created and no keys would be logged.

This is effectively a revert of e43474b which changed openssl.c to use
SSL_CTX_set_keylog_callback for LibreSSL 3.5.0+. Unfortunately LibreSSL
added that function only as a stub that doesn't actually do anything.

Reported-by: Gonçalo Carvalho

Fixes curl#13672
Closes #xxxx
@jay jay mentioned this issue May 17, 2024
Closed
@jay
Copy link
Member Author

jay commented May 17, 2024

LibreSSL doesn't really support the keylog mechanism. The API exists since a number of things don't properly test and guard for it, but it is a noop.

Thanks, I missed that on review when we enabled support. I am proposing #13682 to revert to the legacy TLS 1.2 logging for LibreSSL. Is there a way we can extract TLS 1.3 secrets with LibreSSL?

And I guess the reason to use LibreSSL on Windows is because it makes for easier builds? Or just a preference in general due to possible security considerations?

There were a number of reasons, see curl/curl-for-win#44

/cc @vszakats

@jay jay closed this as completed in 9aae9bf May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TLS Windows Windows-specific
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: revert keylog_callback support for LibreSSL jay/curl
3 participants
@jay @botovq @glslang