Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 4349] Add support for TLS key logs

Date: Mon, 25 Jan 2010 10:01:52 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4349

--- Comment #16 from Adam Langley <agl@xxxxxxxxxxxx> 2010-01-25 10:01:47 PST ---
(In reply to comment #15)
> - IO channels are not (yet) used within Wireshark, I'm no expert on portability
> (which the IO channels seem to be aiming for), but the documentation says:
> "Currently full support is available on UNIX platforms, support for Windows is
> only partially complete.". I think the use of IO channels should be discussed
> on wireshark-dev first

Have changed IO channels to stdio. I didn't have any particular reason for
using them, I just noticed that wireshark was using glib and I checked for file
handing functions in the glib reference.

> - I'm not a fan of rereading the key-log file for each SSL negotiation in the
> tracefile. I would suggest loading the PMS from file when the dissector
> initiates, just like it is done for the certificates.

The reason for the constant re-reading of the keylog file is that my typical
use case is that the client is running concurrently with wireshark on the same
host. So the client writes the keylog line just before writing to the socket
and then wireshark can find it a few milliseconds later.

> It would be nice to have
> this "PMS cache" implemented in such a way it can be used to export the keys
> too (when decryption was based on a certificate), as a start for implementing
> bug 3444.

Agreed. But I'm going to punt on that for now :)

> - Please don't use C++ style comments, Wireshark is using ANSI-C for
> portability.

Fixed

> - I've already checked in the "entrypted" spelling error fix :-)  (SVN: 31628)

Dropped.

> Now that the export function is in NSS, will it be available in the official
> Firefox/Chrome releases? Or does a custom debug version must be built?

The code is only compiled into NSS if you build it with DEBUG and TRACE
defined. (This is mainly for security reasons: we wouldn't want this stuff in
normal builds). However, NSS and libssl3 are shared libraries, so you can build
NSS in debug mode and set LD_LIBRARY_PATH to use them with Firefox.

(Chrome is a little different. Chrome has its own copy of libssl because we
have local patches. There you would need to build *Chrome* in debug mode.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.