schierlm/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Add SSLKeyLog support to Apache mod_ssl

Tested only on Linux, and only against OpenSSL 1.1.1

  
## apache_ssl_key_log_file.diff
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c	(revision 1849572)
+++ modules/ssl/mod_ssl.c	(working copy)
@@ -316,6 +316,9 @@
                 "OpenSSL configuration command")
 #endif

+    SSL_CMD_SRV(KeyLogFile, TAKE1,
+                "File to store SSL key log to")
+
     /* Deprecated directives. */
     AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
       "SSLLog directive is no longer supported - use ErrorLog."),
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c	(revision 1849572)
+++ modules/ssl/ssl_engine_config.c	(working copy)
@@ -322,6 +322,8 @@
     cfgMergeArray(ssl_ctx_param);
 #endif

+    cfgMerge(key_log_file_name, NULL);
+
     cfgMergeBool(ssl_check_peer_cn);
     cfgMergeBool(ssl_check_peer_name);
     cfgMergeBool(ssl_check_peer_expire);
@@ -2177,6 +2179,14 @@
 }
 #endif

+const char *ssl_cmd_SSLKeyLogFile(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->key_log_file_name = arg;
+
+    return NULL;
+}
+
 #ifdef HAVE_SRP

 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
@@ -2605,6 +2615,8 @@
         }
 #endif

+	DMP_STRING("SSLKeyLogFile", ctx->key_log_file_name);
+
 #ifdef HAVE_TLS_SESSION_TICKETS
         if (ctx->ticket_key) {
             DMP_STRING("SSLSessionTicketKeyFile", ctx->ticket_key->file_path);
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c	(revision 1849572)
+++ modules/ssl/ssl_engine_init.c	(working copy)
@@ -1708,6 +1708,7 @@
 static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
 {
     MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
+    MODSSL_CFG_ITEM_FREE(apr_file_close, mctx->key_log_file);

 #ifdef HAVE_SRP
     if (mctx->srp_vbase != NULL) {
@@ -1769,6 +1770,15 @@
     return APR_SUCCESS;
 }

+static void ssl_keylog_callback(const SSL *ssl, const char *line)
+{
+    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+    server_rec *s = mySrvFromConn(c);
+    SSLSrvConfigRec *sc = mySrvConfig(s);
+    apr_file_write_full(sc->server->key_log_file, line, strlen(line), NULL);
+    apr_file_write_full(sc->server->key_log_file, "\n", 1, NULL);
+}
+
 static apr_status_t ssl_init_server_ctx(server_rec *s,
                                         apr_pool_t *p,
                                         apr_pool_t *ptemp,
@@ -1916,6 +1926,18 @@
     }
 #endif

+    if(sc->server->key_log_file_name != NULL) {
+        rv = apr_file_open(&sc->server->key_log_file, sc->server->key_log_file_name,
+                           APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_APPEND
+                           |APR_FOPEN_BINARY|APR_FOPEN_NOCLEANUP,
+                           APR_FPROT_OS_DEFAULT, p);
+
+	if (rv != APR_SUCCESS)
+	    return rv;
+
+        SSL_CTX_set_keylog_callback(sc->server->ssl_ctx, ssl_keylog_callback);
+    }
+
     SSL_CTX_set_timeout(sc->server->ssl_ctx,
                         sc->session_cache_timeout == UNSET ?
                         SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout);
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h	(revision 1849572)
+++ modules/ssl/ssl_private.h	(working copy)
@@ -732,6 +732,10 @@
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
 #endif

+    const char *key_log_file_name;
+    apr_file_t *key_log_file;
+
+
     BOOL ssl_check_peer_cn;
     BOOL ssl_check_peer_name;
     BOOL ssl_check_peer_expire;
@@ -870,6 +874,8 @@
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
 #endif

+const char *ssl_cmd_SSLKeyLogFile(cmd_parms *cmd, void *dcfg, const char *arg);
+
 #ifdef HAVE_SRP
 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
	Index: modules/ssl/mod_ssl.c
	===================================================================
	--- modules/ssl/mod_ssl.c (revision 1849572)
	+++ modules/ssl/mod_ssl.c (working copy)
	@@ -316,6 +316,9 @@
	"OpenSSL configuration command")
	#endif

	+ SSL_CMD_SRV(KeyLogFile, TAKE1,
	+ "File to store SSL key log to")
	+
	/* Deprecated directives. */
	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
	"SSLLog directive is no longer supported - use ErrorLog."),
	Index: modules/ssl/ssl_engine_config.c
	===================================================================
	--- modules/ssl/ssl_engine_config.c (revision 1849572)
	+++ modules/ssl/ssl_engine_config.c (working copy)
	@@ -322,6 +322,8 @@
	cfgMergeArray(ssl_ctx_param);
	#endif

	+ cfgMerge(key_log_file_name, NULL);
	+
	cfgMergeBool(ssl_check_peer_cn);
	cfgMergeBool(ssl_check_peer_name);
	cfgMergeBool(ssl_check_peer_expire);
	@@ -2177,6 +2179,14 @@
	}
	#endif

	+const char ssl_cmd_SSLKeyLogFile(cmd_parms cmd, void dcfg, const char arg)
	+{
	+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
	+ sc->server->key_log_file_name = arg;
	+
	+ return NULL;
	+}
	+
	#ifdef HAVE_SRP

	const char ssl_cmd_SSLSRPVerifierFile(cmd_parms cmd, void *dcfg,
	@@ -2605,6 +2615,8 @@
	}
	#endif

	+ DMP_STRING("SSLKeyLogFile", ctx->key_log_file_name);
	+
	#ifdef HAVE_TLS_SESSION_TICKETS
	if (ctx->ticket_key) {
	DMP_STRING("SSLSessionTicketKeyFile", ctx->ticket_key->file_path);
	Index: modules/ssl/ssl_engine_init.c
	===================================================================
	--- modules/ssl/ssl_engine_init.c (revision 1849572)
	+++ modules/ssl/ssl_engine_init.c (working copy)
	@@ -1708,6 +1708,7 @@
	static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
	{
	MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
	+ MODSSL_CFG_ITEM_FREE(apr_file_close, mctx->key_log_file);

	#ifdef HAVE_SRP
	if (mctx->srp_vbase != NULL) {
	@@ -1769,6 +1770,15 @@
	return APR_SUCCESS;
	}

	+static void ssl_keylog_callback(const SSL ssl, const char line)
	+{
	+ conn_rec c = (conn_rec )SSL_get_app_data(ssl);
	+ server_rec *s = mySrvFromConn(c);
	+ SSLSrvConfigRec *sc = mySrvConfig(s);
	+ apr_file_write_full(sc->server->key_log_file, line, strlen(line), NULL);
	+ apr_file_write_full(sc->server->key_log_file, "\n", 1, NULL);
	+}
	+
	static apr_status_t ssl_init_server_ctx(server_rec *s,
	apr_pool_t *p,
	apr_pool_t *ptemp,
	@@ -1916,6 +1926,18 @@
	}
	#endif

	+ if(sc->server->key_log_file_name != NULL) {
	+ rv = apr_file_open(&sc->server->key_log_file, sc->server->key_log_file_name,
	+ APR_FOPEN_WRITE\|APR_FOPEN_CREATE\|APR_FOPEN_APPEND
	+ \|APR_FOPEN_BINARY\|APR_FOPEN_NOCLEANUP,
	+ APR_FPROT_OS_DEFAULT, p);
	+
	+ if (rv != APR_SUCCESS)
	+ return rv;
	+
	+ SSL_CTX_set_keylog_callback(sc->server->ssl_ctx, ssl_keylog_callback);
	+ }
	+
	SSL_CTX_set_timeout(sc->server->ssl_ctx,
	sc->session_cache_timeout == UNSET ?
	SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout);
	Index: modules/ssl/ssl_private.h
	===================================================================
	--- modules/ssl/ssl_private.h (revision 1849572)
	+++ modules/ssl/ssl_private.h (working copy)
	@@ -732,6 +732,10 @@
	apr_array_header_t ssl_ctx_param; / parameters to pass to SSL_CTX */
	#endif

	+ const char *key_log_file_name;
	+ apr_file_t *key_log_file;
	+
	+
	BOOL ssl_check_peer_cn;
	BOOL ssl_check_peer_name;
	BOOL ssl_check_peer_expire;
	@@ -870,6 +874,8 @@
	const char ssl_cmd_SSLOpenSSLConfCmd(cmd_parms cmd, void dcfg, const char arg1, const char *arg2);
	#endif

	+const char ssl_cmd_SSLKeyLogFile(cmd_parms cmd, void dcfg, const char arg);
	+
	#ifdef HAVE_SRP
	const char ssl_cmd_SSLSRPVerifierFile(cmd_parms cmd, void dcfg, const char arg);
	const char ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms cmd, void dcfg, const char arg);