Skip to content

bpo-34271: Add ssl debugging helpers (GH-10031) #10031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 31, 2019
Merged

bpo-34271: Add ssl debugging helpers (GH-10031) #10031

merged 2 commits into from
May 31, 2019

Conversation

tiran
Copy link
Member

@tiran tiran commented Oct 21, 2018
edited by bedevere-bot
Loading

The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

  • API review
  • whatsnew entry
  • More tests

https://bugs.python.org/issue34271

@tiran tiran requested review from njsmith and zooba October 21, 2018 15:42
@jmfrank63
Copy link

I made a first test setting the env variable SSLKEYLOGFILE from python and creating the file from there as well. Currently the ~ resolution does not seem to work, but besides that using the simple client socket example from the ssl docs I was able to grab the keys and log them into the file the env variable was pointing to. I was on a Mac and installed [email protected] via homebrew.

@tiran
Copy link
Member Author

tiran commented Oct 24, 2018

The SSLKEYLOGFILE only works, if you

  • have OpenSSL 1.1.1 installed. OpenSSL 1.1.0 or 1.0.2 don't have a keylog callback API. Linux distributions like Debian and Fedora just started to include 1.1.1 in their latest test versions.
  • use ssl.create_default_context(). A custom ssl.SSLContext doesn't use SSLKEYLOGFILE.

I decided against expanding ~ to user's home directory, because neither curl nor NSS expand them.

@jmfrank63
Copy link

I wrote some basic examples showing this works very well. Thanks to https://github.com/jmfrank63/ssl-examples/commits?author=nikosgraser for providing the requests example.

@tiran tiran force-pushed the bpo-34271-ssldebug branch 3 times, most recently from e938b5b to 3f17e9f Compare May 29, 2019 09:42
@tiran
Copy link
Member Author

tiran commented May 29, 2019

@zooba Could you please do me a favor and try the patch on Windows? One of the test cases is failing on Windows and I don't understand why.

======================================================================
FAIL: test_keylog_env (test.test_ssl.TestSSLDebug)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\projects\cpython\lib\test\test_ssl.py", line 4488, in test_keylog_env
    self.assertEqual(ctx.keylog_filename, support.TESTFN)
AssertionError: None != '@test_4872_tmp'
----------------------------------------------------------------------

@tiran tiran changed the title [WIP] bpo-34271: Add ssl debugging helpers bpo-34271: Add ssl debugging helpers May 29, 2019
@tiran tiran force-pushed the bpo-34271-ssldebug branch 4 times, most recently from ea3fd14 to 8bbb6df Compare May 30, 2019 12:50
@tiran
Copy link
Member Author

tiran commented May 30, 2019

@zooba One Windows test case was failing because ignore_environment flag was set. I'm now skipping the test case if the flag is set.

@tiran tiran requested a review from vstinner May 30, 2019 20:55
reaperhulk
reaperhulk reviewed May 30, 2019
View reviewed changes
tiran added 2 commits May 31, 2019 11:25
@tiran
bpo-34271: Add ssl debugging helpers
16fa504 
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.
@tiran
Make msg_callback a private debug function
9bbf7a4 
The msg_callback and related enums are now private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes <[email protected]>
@tiran tiran force-pushed the bpo-34271-ssldebug branch from 1894a5e to 9bbf7a4 Compare May 31, 2019 09:25
@tiran tiran changed the title bpo-34271: Add ssl debugging helpers bpo-34271: Add ssl debugging helpers (GH-10031) May 31, 2019
@tiran tiran merged commit c7f7069 into python:master May 31, 2019
@tiran tiran deleted the bpo-34271-ssldebug branch May 31, 2019 09:44
DinoV pushed a commit to DinoV/cpython that referenced this pull request Jan 14, 2020
@tiran @DinoV
bpo-34271: Add ssl debugging helpers (pythonGH-10031)
9ace740 
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

The msg_callback and related enums are private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reaperhulk reaperhulk reaperhulk left review comments

@njsmith njsmith Awaiting requested review from njsmith

@zooba zooba Awaiting requested review from zooba

@vstinner vstinner Awaiting requested review from vstinner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tiran @jmfrank63 @reaperhulk @the-knights-who-say-ni @bedevere-bot