Hello, Thanks for the feedback.
On Wed, 24 Jan 2024 12:20:59 +0300 Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Sun, Jan 21, 2024 at 10:37:24AM +0000, J Carter wrote: > > > # HG changeset patch > > # User J Carter <jordanc.car...@outlook.com> > > # Date 1705832811 0 > > # Sun Jan 21 10:26:51 2024 +0000 > > # Node ID b00332a5253eefb53bacc024c72f55876c2eac6e > > # Parent ee40e2b1d0833b46128a357fbc84c6e23be9be07 > > SSL: Added SSLKEYLOGFILE key material to debug logging. > > > > This patch also introduces the debug_keylog error log level flag, which > > may be used to graunually enable or ommit logging of key material via > > error level flags (note, it's always enabled when using > > debug_connection). > > > > Each line of key material is output to the error log as separate log > > message, and is prepended with 'ssl keylog: ' for convenient extraction. > > > > The purpose of logging key material is to allow external tools, such as > > wireshark/tshark, to decrypt captured TLS connections in all situations. > > > > Previously, only TLS 1.2 (and below) connections could be decrypted > > when specific ciphers suites were used, and when the decrypter had > > access to the acting server's TLS certificates and keys. It was not > > possible to decrypt TLS 1.3 traffic without generating SSLKEYLOGFILE on > > peer, or by using other hacks on nginx host (using GDB, or patched ssl > > libraries). > > Thanks for the patch. > > Logging session keying material is known to be problematic from > ethical point of view. As such, I would rather avoid introducing > relevant functionality in nginx. > > [...] > Could you expand upon your ethical concerns around logging key material over say logging / storing to disk request or response content directly from nginx ? It'd be good to have clarity for future contributions. _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
