Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: optional SSLKEYLOGFILE support #1539

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: optional SSLKEYLOGFILE support #1539

wants to merge 1 commit into from
+31 −0

Conversation

crepererum
Copy link
Contributor

Motivation

Using SSLKEYLOGFILE is helpful when you want to intercept TLS traffic for debugging and is generally supported by many libraries and browsers. Also see: https://wiki.wireshark.org/TLS#using-the-pre-master-secret

Solution

Add a use_key_log option to server and client TLS configs that -- when set -- will enable rustls's SSLKEYLOGFILE handling.

@crepererum
Copy link
Contributor Author

Since this is mostly config wiring and relies on the already existing rustls features, does this need a test? If so, where should this test be placed?

@crepererum crepererum mentioned this pull request Sep 28, 2023
Closed
@tottoto
Copy link
Collaborator

tottoto commented Mar 2, 2024

Seems to be related to #893.

@crepererum
Copy link
Contributor Author

The solution there seems to be: just bypass tonic::transport entirely and write 100+ lines of glue-code to wire up all the components (tower, hyper, rustls) yourself. That seems doable, but somewhat defeats the purpose of tonic, i.e. having an easy-to-use client&server toolkit.

tottoto
tottoto approved these changes Jan 23, 2025
View reviewed changes
Copy link
Collaborator

@tottoto tottoto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This option is useful in terms of providing debuggability, and I think the benefits are worth the additional cost of adding this option. However, @LucioFranco has already rejected adding this feature in #893 and #1102, so we need his approval.

@LucioFranco As it's been a while since your previous review, I ask you if you've changed your mind and made this acceptable. If you accept it, I think it would be good to include this in the next v0.13 release.

@tottoto tottoto requested a review from LucioFranco January 23, 2025 23:12
@tottoto tottoto added this to the 0.13 milestone Jan 23, 2025
@crepererum
Copy link
Contributor Author

will rebase...

@crepererum crepererum force-pushed the crepererum/keylog branch 2 times, most recently from 961f8ac to 7bb05e8 Compare February 26, 2025 10:17
@crepererum
feat: optional SSLKEYLOGFILE support
0c576da 
Add a `use_key_log` option to server and client TLS configs that -- when
set -- will enable rustls's `SSLKEYLOGFILE` handling.

This is helpful when you want to intercept TLS traffic for debugging and
is generally supported by many libraries and browsers. Also see:
https://wiki.wireshark.org/TLS#using-the-pre-master-secret
crepererum
crepererum commented Feb 26, 2025
View reviewed changes
tonic/src/transport/channel/service/tls.rs
@@ -26,12 +26,14 @@ pub(crate) struct TlsConnector {
}

impl TlsConnector {
#[allow(clippy::too_many_arguments)]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a bit cheating. If you want, I can refactor this, either using a parameter structure like

TlsConnectorParameters<'a> {
    ca_certs: Vec<Certificate>,
    trust_anchors: Vec<TrustAnchor<'static>>,
    identity: Option<Identity>,
    domain: &'a str,
    assume_http2: bool,
    use_key_log: bool,
}

or a builder pattern.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LucioFranco LucioFranco LucioFranco approved these changes

@tottoto tottoto tottoto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.13
Development

Successfully merging this pull request may close these issues.
3 participants
@crepererum @tottoto @LucioFranco