Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread Ion Larranaga Azcue
ls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3 IIUC not quite. There is an API, so the application that uses the library can get the keys. The application can then save it to

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread Yoav Nir
> > > From: Yoav Nir <ynir.i...@gmail.com> > Date: Thursday, March 15, 2018 at 6:41 PM > To: Richard Barnes <r...@ipv.sx> > Cc: Rich Salz <rs...@akamai.com>, Hubert Kario <hka...@redhat.com>, > "tls@ietf.org" <tls@ietf.org> > Subjec

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread Richard Barnes
<ynir.i...@gmail.com> > *Date: *Thursday, March 15, 2018 at 6:41 PM > *To: *Richard Barnes <r...@ipv.sx> > *Cc: *Rich Salz <rs...@akamai.com>, Hubert Kario <hka...@redhat.com>, " > tls@ietf.org" <tls@ietf.org> > *Subject: *Re: [TLS] TLS interception

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread R du Toit
Hubert Kario <hka...@redhat.com> Date: Thursday, March 15, 2018 at 7:38 AM To: <tls@ietf.org> Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3 On Thursday, 15 March 2018 05:51:31 CET Yoav Nir wrote: At the risk of stating the obvious, it’s because server

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread Salz, Rich
This is what OpenSSL provides: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_keylog_callback.html ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread Yoav Nir
So what’s the flag in openssl.conf that makes it generate a file with all the keys? There isn’t one. I guess the presumption is that if there was an RFC it would be easier to get the powers that be to make it happen. It likely needs to be in the main branch to be ubiquitous, because many

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-15 Thread Hubert Kario
On Thursday, 15 March 2018 05:51:31 CET Yoav Nir wrote: > At the risk of stating the obvious, it’s because server owners want to use > the same OpenSSL, NSS, SChannel, or whatever you call the Java library that > everybody else uses. They’re all widely used, actively maintained, and > essentially

Re: [TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-14 Thread Yoav Nir
At the risk of stating the obvious, it’s because server owners want to use the same OpenSSL, NSS, SChannel, or whatever you call the Java library that everybody else uses. They’re all widely used, actively maintained, and essentially free. None of these libraries support any of this

[TLS] TLS interception technologies that can be used with TLS 1.3

2018-03-14 Thread Watson Ladd
One can either use a static DH share, save the ephemerals on the servers and export them, or log all the data on the servers. These options don't require any change to the wire protocol: they just require vendors supporting them. Why don't they meet the needs cited? Sincerely, Watson