[Issue 10332] New: Add support for SSLKEYLOGFILE environment variable to export keys for Wireshark decryption
https://bugs.openldap.org/show_bug.cgi?id=10332
Issue ID: 10332 Summary: Add support for SSLKEYLOGFILE environment variable to export keys for Wireshark decryption Product: OpenLDAP Version: 2.6.9 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: michael.osipov@siemens.com Target Milestone: ---
Please add support to do the following: SSLKEYLOGFILE=keylog.txt ldapsearch -H ldaps://...
Other libraries and tools support it to decrypt the TLS traffic with Wireshark for analysis purposes.
Curl has a simple, but complete implementation: https://github.com/curl/curl/blob/e008f71f435a39875d86885a96b2eb8968a60fd4/l...
Maybe it can be reused if license allows that?!
https://bugs.openldap.org/show_bug.cgi?id=10332
--- Comment #1 from Howard Chu hyc@openldap.org --- Generally we don't do anything special for TLS traffic since libldap's debug output already includes both the raw data and the decrypted data. There's no reason to rely on 3rd party tools here.
https://bugs.openldap.org/show_bug.cgi?id=10332
--- Comment #2 from michael.osipov@innomotics.com --- (In reply to Howard Chu from comment #1)
Generally we don't do anything special for TLS traffic since libldap's debug output already includes both the raw data and the decrypted data. There's no reason to rely on 3rd party tools here.
Well, the debug output is a mere dump, but the decrypted traffic makes it perfectly readable in Wireshark to analyze issues in a structured way. The hex dump does not provide that. It is very tedious to copy hex data to an ASN.1 parser and have them displayed. Wireshark does everything effortlessly.
-
openldap-its@openldap.org