Hello,
Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: > Would we be able to get a new sample which provides the SSL session > master-key? > This is so that when performing packet captures with ephemeral ciphers > (DHE), we can decrypt the traffic in the capture. There is no master key. What you need is the key for the symmetric crypto, and you cannot extract it from haproxy currently. More importantly, OpenSSL implements this functionality only the master branch (see [1] and [2]), none of the release branches actually have this functionality. So we need OpenSSL to release a new branch with this functionality (1.1.1), we have to implement it in haproxy and then still it will only work for <=TLSv1.2. TLSv1.3 will need additional secrets and a different key logging API [3]. I suggest you use SSLKEYLOGFILE features in the browsers at this point, as the functionality is far from being ready for any OpenSSL based application. Regards, Lukas [1] https://github.com/openssl/openssl/commit/2faa1b48fd6864f6bb8f992fd638378202fdd416 [2] https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_keylog_callback.html [3] https://github.com/openssl/openssl/pull/2287
