Add keylog support on QUIC client#5231
Conversation
masaori335
force-pushed
the
quic-latest-keylog
branch
from
303ef34 to
8d22a40
Compare
I don't think we should have it in application code because the application would need to deal with a variety of SSL libraries directly. Current approach looks good to me. |
masaori335
force-pushed
the
quic-latest-keylog
branch
from
8d22a40 to
a3743cd
Compare
masaori335
force-pushed
the
quic-latest-keylog
branch
from
a3743cd to
ac2aa37
Compare
| { | ||
| QUICTLS *qtls = static_cast<QUICTLS *>(SSL_get_ex_data(ssl, QUIC::ssl_quic_tls_index)); | ||
| const char *keylog_file = qtls->keylog_file(); | ||
| std::ofstream file(keylog_file, std::ios_base::app); |
There was a problem hiding this comment.
How many times will this function be called? Doesn't it overwrite this file every time?
There was a problem hiding this comment.
9 times for each session. The app open mode seeks to the eos before write, iiuc.
There was a problem hiding this comment.
So it open and close the file 9 times, it doesn't sound great.
Also, in that case, does it mean I need to remove the file before I start new session?
There was a problem hiding this comment.
I agree it's no ideal, but it not big deal for traffic_quic. For origin server side connection or server side connection, this could be problem. But when we support it, it needs some changes to dump keys for each connections. And proxy.config.quic.client.session_file has same problem. So these should be fixed in same time and it's out of scope from this PR.
As long as you're using wireshark, you don't need to remove. It can find the correct key.
There was a problem hiding this comment.
Then please create an issue or put a TODO comment for the future work at least. I'm not going to stop you but I don't like leaving a trap like this.
masaori335
force-pushed
the
quic-latest-keylog
branch
from
ac2aa37 to
f327406
Compare
2 participants
This is quite handy for debugging. Wireshark can decrypt captured QUIC packets with dumped key.
The format is NSS Key Log Format.
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_keylog_callback.html
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
But I'm not sure we should add this under iocore/net/quic/. I wanted put these code in under src/traffic_quic/, but it requires a handle to tweak SSL_CTX from there. Any ideas?