Re: [PATCH 0/2] Re: Logging SSL pre-master-key

On Sat, Apr 28, 2018 at 07:15:44PM -0400, Patrick Hemmer wrote: > After much delay, I've addressed the requested changes as a new patch. Both patches merged now (with SMP_F_CONST removed as noticed by Emeric). Thanks! Willy

[PATCH 0/2] Re: Logging SSL pre-master-key

On 2017/6/30 10:32, Willy Tarreau wrote: > Hi Patrick, > > On Fri, Jun 30, 2017 at 10:28:11AM -0400, Patrick Hemmer wrote: >>> The issue I'm having is that there's no notification >>> that this will not work. Using #ifdef ensures that what is not supported will >>> report an error. Then the user

Re: Logging SSL pre-master-key

Hi Patrick, On Fri, Jun 30, 2017 at 10:28:11AM -0400, Patrick Hemmer wrote: > > The issue I'm having is that there's no notification > > that this will not work. Using #ifdef ensures that what is not supported > > will > > report an error. Then the user looks at the keyword in the doc and reads

Re: Logging SSL pre-master-key

On 2017/6/30 01:00, Willy Tarreau wrote: > Hi Patrick, sorry for the delay :-/ > > On Mon, Jun 19, 2017 at 01:54:36PM -0400, Patrick Hemmer wrote: >> Well my argument for keeping the name starting with `ssl_fc_session_` is >> that there is also `ssl_fc_session_id`. These 2 fetches pull their >>

Re: Logging SSL pre-master-key

Hi Willy, Patrick > Le 30 juin 2017 à 07:00, Willy Tarreau a écrit : > > Hi Patrick, sorry for the delay :-/ > > On Mon, Jun 19, 2017 at 01:54:36PM -0400, Patrick Hemmer wrote: >> Well my argument for keeping the name starting with `ssl_fc_session_` is >> that there is also

Re: Logging SSL pre-master-key

Hi Patrick, sorry for the delay :-/ On Mon, Jun 19, 2017 at 01:54:36PM -0400, Patrick Hemmer wrote: > Well my argument for keeping the name starting with `ssl_fc_session_` is > that there is also `ssl_fc_session_id`. These 2 fetches pull their > attribute from the same "session" structure. They

Re: Logging SSL pre-master-key

Hi Patrick, On Thu, Jun 22, 2017 at 03:57:18PM -0400, Patrick Hemmer wrote: > Haven't heard anything back about the consistency aspect, so here's an > updated patch with the other changes not affected by user experience > consistency. Sorry, I've been quite busy these last days and didn't have

Re: Logging SSL pre-master-key

On 2017/6/19 13:54, Patrick Hemmer wrote: > > > On 2017/6/17 00:00, Willy Tarreau wrote: >> Hi Patrick, >> >> On Fri, Jun 16, 2017 at 09:36:30PM -0400, Patrick Hemmer wrote: >>> The main reason I had for supporting the older code is that it seems >>> many (most?) linux distros, such as the one we

Re: Logging SSL pre-master-key

On 2017/6/17 00:00, Willy Tarreau wrote: > Hi Patrick, > > On Fri, Jun 16, 2017 at 09:36:30PM -0400, Patrick Hemmer wrote: >> The main reason I had for supporting the older code is that it seems >> many (most?) linux distros, such as the one we use (CentOS/7), still >> ship with 1.0.1 or 1.0.2.

Re: Logging SSL pre-master-key

Hi Patrick, On Fri, Jun 16, 2017 at 09:36:30PM -0400, Patrick Hemmer wrote: > The main reason I had for supporting the older code is that it seems > many (most?) linux distros, such as the one we use (CentOS/7), still > ship with 1.0.1 or 1.0.2. However since this is a minor change and a >

Re: Logging SSL pre-master-key

On 2017/6/16 09:34, Willy Tarreau wrote: > Hi Patrick, > > On Mon, Jun 12, 2017 at 07:31:36PM -0400, Patrick Hemmer wrote: >> I patched my haproxy to add a ssl_fc_session_key fetch, and with the >> value I was able to decrypt my test sessions encrypted with >>

Re: Logging SSL pre-master-key

Hi Patrick, On Mon, Jun 12, 2017 at 07:31:36PM -0400, Patrick Hemmer wrote: > I patched my haproxy to add a ssl_fc_session_key fetch, and with the > value I was able to decrypt my test sessions encrypted with > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. > > Since the implementation was fairly easy,

Re: Logging SSL pre-master-key

Hi Patrick, Lukas > Le 13 juin 2017 à 19:26, Lukas Tribus a écrit : > > Hi Patrick, > > > Am 13.06.2017 um 01:31 schrieb Patrick Hemmer: >> >> >> On 2017/6/12 15:14, Lukas Tribus wrote: >>> Hello, >>> >>> >>> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: Would we be

Re: Logging SSL pre-master-key

Hi Patrick, Am 13.06.2017 um 01:31 schrieb Patrick Hemmer: > > > On 2017/6/12 15:14, Lukas Tribus wrote: >> Hello, >> >> >> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: >>> Would we be able to get a new sample which provides the SSL session >>> master-key? >>> This is so that when performing

Re: Logging SSL pre-master-key

On 2017/6/12 15:14, Lukas Tribus wrote: > Hello, > > > Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: >> Would we be able to get a new sample which provides the SSL session >> master-key? >> This is so that when performing packet captures with ephemeral ciphers >> (DHE), we can decrypt the

Re: Logging SSL pre-master-key

Hello, Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: > Would we be able to get a new sample which provides the SSL session > master-key? > This is so that when performing packet captures with ephemeral ciphers > (DHE), we can decrypt the traffic in the capture. There is no master key. What you

Logging SSL pre-master-key

Would we be able to get a new sample which provides the SSL session master-key? This is so that when performing packet captures with ephemeral ciphers (DHE), we can decrypt the traffic in the capture. -Patrick