exabrial/haproxy.cfg

## haproxy.cfg
global
	lua-load haproxy.lua

frontend X
	tcp-request session set-var(sess.ssl_session_id) ssl_fc_session_id,hex if { ssl_fc }
	tcp-request content lua.ssl-log-key if { ssl_fc }

## haproxy.lua
core.register_action("ssl-log-key", { "tcp-req", "http-req" }, function(txn)
	local dolog = false

	local ssl_session_id = txn.sc:hex(txn.sf:ssl_fc_session_id())
	local ssl_session_id_var = txn:get_var("sess.ssl_session_id")
	if ssl_session_id then
		if not ssl_session_id_var or ssl_session_id ~= ssl_session_id_var then
			dolog = true
			txn:set_var("sess.ssl_session_id", ssl_session_id)
		end
	elseif ssl_session_id_var then
		ssl_session_id = ssl_session_id_var
	end

	local ssl_session_key = txn.sc:hex(txn.sf:ssl_fc_session_key())
	local ssl_session_key_var = txn:get_var("sess.ssl_session_key")
	if ssl_session_key then
		if not ssl_session_key_var or ssl_session_key ~= ssl_session_key_var then
			dolog = true
			txn:set_var("sess.ssl_session_key", ssl_session_key)
		end
	elseif ssl_session_key_var then
		ssl_session_id = ssl_session_key_var
	end

	if dolog then
		local src = txn.sf:src() .. ":" .. txn.sf:src_port()
		local dst = txn.sf:dst() .. ":" .. txn.sf:dst_port()
		-- The formats supported by wireshark can be found here:
		-- https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209
		txn:log(core.debug, "SSL " .. src .. "/" .. dst .. " RSA Session-ID:" .. ssl_session_id .. " Master-Key:" .. ssl_session_key)
	end
end)
	global
	lua-load haproxy.lua

	frontend X
	tcp-request session set-var(sess.ssl_session_id) ssl_fc_session_id,hex if { ssl_fc }
	tcp-request content lua.ssl-log-key if { ssl_fc }
	core.register_action("ssl-log-key", { "tcp-req", "http-req" }, function(txn)
	local dolog = false

	local ssl_session_id = txn.sc:hex(txn.sf:ssl_fc_session_id())
	local ssl_session_id_var = txn:get_var("sess.ssl_session_id")
	if ssl_session_id then
	if not ssl_session_id_var or ssl_session_id ~= ssl_session_id_var then
	dolog = true
	txn:set_var("sess.ssl_session_id", ssl_session_id)
	end
	elseif ssl_session_id_var then
	ssl_session_id = ssl_session_id_var
	end

	local ssl_session_key = txn.sc:hex(txn.sf:ssl_fc_session_key())
	local ssl_session_key_var = txn:get_var("sess.ssl_session_key")
	if ssl_session_key then
	if not ssl_session_key_var or ssl_session_key ~= ssl_session_key_var then
	dolog = true
	txn:set_var("sess.ssl_session_key", ssl_session_key)
	end
	elseif ssl_session_key_var then
	ssl_session_id = ssl_session_key_var
	end

	if dolog then
	local src = txn.sf:src() .. ":" .. txn.sf:src_port()
	local dst = txn.sf:dst() .. ":" .. txn.sf:dst_port()
	-- The formats supported by wireshark can be found here:
	-- https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209
	txn:log(core.debug, "SSL " .. src .. "/" .. dst .. " RSA Session-ID:" .. ssl_session_id .. " Master-Key:" .. ssl_session_key)
	end
	end)