git » gofer » commit 9de1f64

Support key log writer for debugging

author Alberto Bertogli
2024-05-11 18:18:59 UTC
committer Alberto Bertogli
2024-05-11 18:40:19 UTC
parent d14a7e24fedfa008fef882188f55f34578b858fd
Support key log writer for debugging

This patch adds an option to make gofer write TLS key logs to a file in
HTTPS connections, which is useful when debugging TLS-encrypted
sessions.

This is insecure and should only used for debugging purposes, so it is
not documented for now, and it is not expected to be a stable part of
the configuration.
config/config.go +3 -0
test/01-fe.yaml +2 -0
util/util.go +15 -1 
diff --git a/config/config.go b/config/config.go
index 5447c9d..8fa6281 100644
--- a/config/config.go
+++ b/config/config.go
@@ -42,6 +42,9 @@ type HTTPS struct {
 	HTTP      `yaml:",inline"`
 	Certs     string    `yaml:",omitempty"`
 	AutoCerts AutoCerts `yaml:"autocerts,omitempty"`
+
+	// Where to write key log files for debugging TLS.
+	InsecureKeyLogFile string `yaml:"insecure_key_log_file,omitempty"`
 }
 
 type AutoCerts struct {
diff --git a/test/01-fe.yaml b/test/01-fe.yaml
index a96a406..6520695 100644
--- a/test/01-fe.yaml
+++ b/test/01-fe.yaml
@@ -59,6 +59,7 @@ https:
     routes: *routes
     reqlog:
       "/": "requests"
+    insecure_key_log_file: ".01-fe.8442.tls-secrets.txt"
 
   ":8443":
     autocerts:
@@ -68,6 +69,7 @@ https:
     routes: *routes
     reqlog:
       "/": "requests"
+    insecure_key_log_file: ".01-fe.8443.tls-secrets.txt"
 
 
 # Raw proxy to the same backend.
diff --git a/util/util.go b/util/util.go
index e5aca8d..8bd74b6 100644
--- a/util/util.go
+++ b/util/util.go
@@ -13,6 +13,7 @@ import (
 
 	"blitiri.com.ar/go/gofer/config"
 	"blitiri.com.ar/go/gofer/trace"
+	"blitiri.com.ar/go/log"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 )
@@ -32,6 +33,13 @@ func LoadCertsForHTTPS(conf config.HTTPS) (*tls.Config, error) {
 		// for us.
 		tlsConfig.NextProtos = append(tlsConfig.NextProtos,
 			"h2", "http/1.1")
+
+		if conf.InsecureKeyLogFile != "" {
+			log.Infof("INSECURE TLS key log is enabled, writing to %q",
+				conf.InsecureKeyLogFile)
+			tlsConfig.KeyLogWriter, err = os.Create(conf.InsecureKeyLogFile)
+		}
+
 		return tlsConfig, err
 	}
 
@@ -80,7 +88,13 @@ func LoadCertsForHTTPS(conf config.HTTPS) (*tls.Config, error) {
 		return cert, err
 	}
 
-	return tlsConf, nil
+	if conf.InsecureKeyLogFile != "" {
+		log.Infof("INSECURE TLS key log is enabled, writing to %q",
+			conf.InsecureKeyLogFile)
+		tlsConf.KeyLogWriter, err = os.Create(conf.InsecureKeyLogFile)
+	}
+
+	return tlsConf, err
 }
 
 func cachePath(confDir string) string {