Envoy: TLS keylog support

Created on 13 Mar 2020  路  7Comments  路  Source: envoyproxy/envoy

Issue Template

Title: TLS keylog support

Description:

Add support for logging TLS session keys to file(s) or a named pipe, on a per-SNI basis, using the NSS Key Log Format.

This will enable using the keylog file with tools like Wireshark to decrypt traffic.

Config can be similar to tapping with match criteria only on SNI and only one sink format (NSS_KEY_LOG). For example, the common_config could be along these lines.

Write to per-thread keylog files for everything:

common_config:
  static_config:
    match_config:
      any_match: true
    output_config:
      sinks:
        - format: NSS_KEY_LOG
          file_per_thread:
            path_prefix: /some/keylog/path

Write to a single keylog named pipe (to some other process), only for "www.example.com":

common_config:
  static_config:
    match_config:
      sni_match:
        exact_match: www.example.com
    output_config:
      sinks:
        - format: NSS_KEY_LOG
          named_pipe: /some/keylog/pipe

Relevant Links:

NSS Key Log Format: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
Wireshark support: https://wiki.wireshark.org/TLS#TLS_Decryption

Additional examples:
NetScaler support: https://support.citrix.com/article/CTX217468 (via utility)
BIG-IP support: https://support.f5.com/csp/article/K16700 (via iRule) and https://support.f5.com/csp/article/K10209 (via utility, but appears to only support older premaster secret output)
Various tools support an "SSLKEYLOGFILE" env var

aretls design proposal stale
Source
picture bhiggins

Most helpful comment

I'm planning to work on this next month.

picture bhiggins on 20 Apr 2020
👍3

All 7 comments

@ggreenway @lizan @PiotrSikora any thoughts here?

mattklein123 picture mattklein123 on 16 Mar 2020

This is previously requested in https://github.com/envoyproxy/envoy/issues/7795

I'm OK with this as long as it is default off and configured via xDS config (not env var).

lizan picture lizan on 16 Mar 2020
👍1

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 17 Apr 2020

I'm planning to work on this next month.

bhiggins picture bhiggins on 20 Apr 2020
👍3

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 20 May 2020

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

stale[bot] picture stale[bot] on 31 May 2020

Wondering if this was ever implemented?

skydoctor picture skydoctor on 17 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeremybaumont picture jeremybaumont  路  3Comments
vpiduri picture vpiduri  路  3Comments
roelfdutoit picture roelfdutoit  路  3Comments
dstrelau picture dstrelau  路  3Comments
anatolebeuzon picture anatolebeuzon  路  3Comments