Author njs
Recipients christian.heimes, jmfrank63, jonozzz, njs, yan12125
Date 2018-09-26.08:05:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I didn't know this, but apparently the SSLKEYLOGFILE envvar is a de-facto standard: chrome, firefox, and libcurl all check for this envvar, and if found they log TLS secrets to the file in a specific format.

Reports of projects supporting this:


Also, people are using gross ctypes hacks to convince Python to do this too:

Also, now that I know this exists I kind of wish it was supported because I've been frustrated by this problem before myself :-).

My first thought was that the ssl module should provide methods to extract the various secret values (e.g., wrappers for SSL_SESSION_get_master_key and SSL_get_client_random), and leave the environment variable checking to user code. But... looking at the file format docs: appears that TLS 1.3 has more and different secrets than previous versions, and trying to expose all these different pieces seems pretty messy. If we simply implement SSLKEYLOGFILE, that would give people what they want, and since we would be writing it out ourselves we could make it handle different TLS versions internally without exposing that complexity as part of the API.

We would of course have to disable this if -E was passed on the command line.

As an FYI to anyone looking at this bug, Christian (the main ssl module maintainer) is generally *very* overloaded, so I would say that the chances of this actually being implemented go *way* up if someone puts together a PR.
Date User Action Args
2018-09-26 08:05:25njssetrecipients: + njs, christian.heimes, jonozzz, yan12125, jmfrank63
2018-09-26 08:05:25njssetmessageid: <>
2018-09-26 08:05:25njslinkissue34271 messages
2018-09-26 08:05:25njscreate