I'm writing today to seek comments on a doc change around the global
parameter tune.ssl.keylog.
configuration.txt says "This option activates the logging of the TLS
keys." but that isn't quite the case. This option facilitates data
collection by several listed fetches and by itself does not generate any
new logging. Some users might expect new log output by enabling this
option, leading to confusion.
My recommendation is to change the language to be more explicit, like
"This option is required for the below listed fetches which facilitate
logging secrets for TLS 1.3. It should be used with care as it will
consume more memory per SSL session and could decrease performances.
This is disabled by default."
Later it is mentioned "If you want to generate the content of a
SSLKEYLOGFILE with TLS < 1.3, you only need this line:" but it is not
clear that those two listed fetches do not require tune.ssl.keylog.
I would like to add a clarifying statement after the CLIENT_RANDOM
example like "These fetches do not require tune.ssl.keylog."
--
Daniel Epperson
Sr. Systems Engineer
https://www.haproxy.com/
