Last active
December 6, 2023 00:53
-
-
Save phemmer/31e89d1a3823230de1e1c47386ff508b to your computer and use it in GitHub Desktop.
haproxy log SSL master key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| lua-load haproxy.lua | |
| frontend X | |
| tcp-request session set-var(sess.ssl_session_id) ssl_fc_session_id,hex if { ssl_fc } | |
| tcp-request content lua.ssl-log-key if { ssl_fc } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| core.register_action("ssl-log-key", { "tcp-req", "http-req" }, function(txn) | |
| local dolog = false | |
| local ssl_session_id = txn.sc:hex(txn.sf:ssl_fc_session_id()) | |
| local ssl_session_id_var = txn:get_var("sess.ssl_session_id") | |
| if ssl_session_id then | |
| if not ssl_session_id_var or ssl_session_id ~= ssl_session_id_var then | |
| dolog = true | |
| txn:set_var("sess.ssl_session_id", ssl_session_id) | |
| end | |
| elseif ssl_session_id_var then | |
| ssl_session_id = ssl_session_id_var | |
| end | |
| local ssl_session_key = txn.sc:hex(txn.sf:ssl_fc_session_key()) | |
| local ssl_session_key_var = txn:get_var("sess.ssl_session_key") | |
| if ssl_session_key then | |
| if not ssl_session_key_var or ssl_session_key ~= ssl_session_key_var then | |
| dolog = true | |
| txn:set_var("sess.ssl_session_key", ssl_session_key) | |
| end | |
| elseif ssl_session_key_var then | |
| ssl_session_id = ssl_session_key_var | |
| end | |
| if dolog then | |
| local src = txn.sf:src() .. ":" .. txn.sf:src_port() | |
| local dst = txn.sf:dst() .. ":" .. txn.sf:dst_port() | |
| -- The formats supported by wireshark can be found here: | |
| -- https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209 | |
| txn:log(core.debug, "SSL " .. src .. "/" .. dst .. " RSA Session-ID:" .. ssl_session_id .. " Master-Key:" .. ssl_session_key) | |
| end | |
| end) |
Where does txn:log kick out it's log entires?
I found the answer, it'll go out the global log. https://www.haproxy.com/blog/introduction-to-haproxy-logging
Here is the whole link in the comment: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209
edit: that hostname DNS is dead now though, here is the code on GitLab https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-tls-utils.c, but that commit doesn't exist and the line number doesn't line up anymore. If anyone can find the right line number please post back, thanks!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Works perfectly !
Thanks.