tls: cli option to enable TLS key logging to file #30055

sam-github · 2019-10-22T03:52:22Z

Debugging HTTPS or TLS connections from a Node.js app with (for example)
Wireshark is unreasonably difficult without the ability to get the TLS
key log. In theory, the application can be modified to use the
'keylog' event directly, but for complex apps, or apps that define
there own HTTPS Agent (like npm), this is unreasonably difficult.

Use of the option triggers a warning to be emitted so the user is
clearly notified of what is happening and its effect.

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
tests and/or benchmarks are included
documentation is changed or added
commit message follows commit guidelines

nodejs-github-bot · 2019-10-22T19:18:19Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26149/

sam-github · 2019-10-22T19:18:41Z

@bnoordhuis now explicitly setting the file mode to 0o600

doc/api/cli.md

nodejs-github-bot · 2019-10-23T21:41:48Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26174/

Debugging HTTPS or TLS connections from a Node.js app with (for example) Wireshark is unreasonably difficult without the ability to get the TLS key log. In theory, the application can be modified to use the `'keylog'` event directly, but for complex apps, or apps that define there own HTTPS Agent (like npm), this is unreasonably difficult. Use of the option triggers a warning to be emitted so the user is clearly notified of what is happening and its effect.

nodejs-github-bot · 2019-11-19T21:25:38Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26761/

nodejs-github-bot · 2019-11-20T06:23:58Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26771/

nodejs-github-bot · 2019-11-20T08:48:42Z

CI: https://ci.nodejs.org/job/node-test-pull-request/26775/

Debugging HTTPS or TLS connections from a Node.js app with (for example) Wireshark is unreasonably difficult without the ability to get the TLS key log. In theory, the application can be modified to use the `'keylog'` event directly, but for complex apps, or apps that define there own HTTPS Agent (like npm), this is unreasonably difficult. Use of the option triggers a warning to be emitted so the user is clearly notified of what is happening and its effect. PR-URL: nodejs#30055 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]>

sam-github · 2019-11-20T16:01:23Z

Landed in 80efb80

Debugging HTTPS or TLS connections from a Node.js app with (for example) Wireshark is unreasonably difficult without the ability to get the TLS key log. In theory, the application can be modified to use the `'keylog'` event directly, but for complex apps, or apps that define there own HTTPS Agent (like npm), this is unreasonably difficult. Use of the option triggers a warning to be emitted so the user is clearly notified of what is happening and its effect. PR-URL: #30055 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]>

There's a typo that causes only the first socket to be logged (i.e. when the warning is emitted). In addition, server sockets aren't logged because `keylog` events are not emitted on tls.Server, not the socket. This behaviour is counterintuitive and has caused more bugs in the past, so make all sockets (server or client) emit 'keylog'. tls.Server will just re-emit these events. Refs: nodejs#30055

There's a typo that causes only the first socket to be logged (i.e. when the warning is emitted). In addition, server sockets aren't logged because `keylog` events are not emitted on tls.Server, not the socket. This behaviour is counterintuitive and has caused more bugs in the past, so make all sockets (server or client) emit 'keylog'. tls.Server will just re-emit these events. Refs: #30055 PR-URL: #33366 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]>

There's a typo that causes only the first socket to be logged (i.e. when the warning is emitted). In addition, server sockets aren't logged because `keylog` events are not emitted on tls.Server, not the socket. This behaviour is counterintuitive and has caused more bugs in the past, so make all sockets (server or client) emit 'keylog'. tls.Server will just re-emit these events. Refs: nodejs#30055 PR-URL: nodejs#33366 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]>

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. tls Issues and PRs related to the tls subsystem. labels Oct 22, 2019

sam-github force-pushed the tls-keylog-option branch from bd82f36 to 404e854 Compare October 22, 2019 04:06

addaleax approved these changes Oct 22, 2019

View reviewed changes

addaleax added cli Issues and PRs related to the Node.js command line interface. semver-minor PRs that contain new features and should be released in the next minor version. labels Oct 22, 2019

cjihrig approved these changes Oct 23, 2019

View reviewed changes

doc/api/cli.md Outdated Show resolved Hide resolved

danbev approved these changes Oct 23, 2019

View reviewed changes

bnoordhuis approved these changes Oct 23, 2019

View reviewed changes

sam-github force-pushed the tls-keylog-option branch from 01afc1d to bf07cfc Compare October 23, 2019 21:40

jasnell approved these changes Oct 26, 2019

View reviewed changes

sam-github force-pushed the tls-keylog-option branch from bf07cfc to 6037b80 Compare November 18, 2019 20:05

sam-github force-pushed the tls-keylog-option branch from 6037b80 to 88b645b Compare November 19, 2019 03:48

Trott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Nov 20, 2019

sam-github closed this Nov 20, 2019

sam-github deleted the tls-keylog-option branch November 20, 2019 16:01

BridgeAR mentioned this pull request Nov 21, 2019

v13.2.0 proposal #30547

Merged

targos mentioned this pull request Jan 15, 2020

v12.15.0 release proposal #31368

Closed

mildsunrise mentioned this pull request Jan 30, 2020

https: client support for TLS keylog events #30053

Closed

4 tasks

mildsunrise mentioned this pull request Jan 30, 2020

Optionally log master secrets for TLS connections #2363

Closed

MylesBorins mentioned this pull request Feb 8, 2020

v12.16.0 proposal #31691

Merged

mildsunrise mentioned this pull request May 12, 2020

tls: fix --tls-keylog option #33366

Closed

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tls: cli option to enable TLS key logging to file #30055

tls: cli option to enable TLS key logging to file #30055

sam-github commented Oct 22, 2019 •

edited

Loading

nodejs-github-bot commented Oct 22, 2019

sam-github commented Oct 22, 2019

nodejs-github-bot commented Oct 23, 2019

nodejs-github-bot commented Nov 19, 2019

nodejs-github-bot commented Nov 20, 2019

nodejs-github-bot commented Nov 20, 2019

sam-github commented Nov 20, 2019

tls: cli option to enable TLS key logging to file #30055

tls: cli option to enable TLS key logging to file #30055

Conversation

sam-github commented Oct 22, 2019 • edited Loading

Checklist

nodejs-github-bot commented Oct 22, 2019

sam-github commented Oct 22, 2019

nodejs-github-bot commented Oct 23, 2019

nodejs-github-bot commented Nov 19, 2019

nodejs-github-bot commented Nov 20, 2019

nodejs-github-bot commented Nov 20, 2019

sam-github commented Nov 20, 2019

sam-github commented Oct 22, 2019 •

edited

Loading