> On 28 Sep 2016, at 11:11, Cory Benfield <c...@lukasa.co.uk> wrote:
>
> So what do the OpenSSL developers think? Do we need the compile flag, or is
> some lower bar sufficient?
It was brought to my attention that BoringSSL takes an alternative approach to
this problem: they allow users to register a callback for key logging
purposes[0]. Essentially, this allows application developers to opt-in to
generating a key log file in whatever manner they see fit, whether that be by
setting SSLKEYLOGFILE in the environment or some other configuration option.
This approach seems like it is likely to be the most generally appealing
approach: for anyone who desperately wants SSLKEYLOGFILE behaviour they can
code it in at their own application level with very little difficulty, while
anyone who is more concerned about environment variables can choose other
methods of configuration. Applications can opt out entirely by simply never
calling the set callback function, or by calling it for all new contexts with
an explicit NULL pointer, and it allows a single libssl shared object to have
multiple key logging behaviours for different aspects of the same application.
This approach would definitely work for my use-cases: if everyone in the
OpenSSL team is happy with it, I’d be happy to write up and submit a patch for
it.
Cory
[0]:
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_keylog_callback
<https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_keylog_callback>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
