8000 feat: Support dumping TLS key log in NSS format for debugging by siketyan · Pull Request #267 · symfony-cli/symfony-cli · GitHub
[go: up one dir, main page]
Skip to content

feat: Support dumping TLS key log in NSS format for debugging #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 8, 2023
Merged

feat: Support dumping TLS key log in NSS format for debugging #267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f655a2d
feat: Support dumping TLS keylog in NSS format for debugging
siketyan Feb 8, 2023
4b61b18
feat: Support 'SSLKEYLOGFILE' environment variable
siketyan Feb 8, 2023
66fe833
feat: Show warning message if TLS key logging is enabled
siketyan Feb 8, 2023
91696a4
feat: Prefer environment variable than config or console argument
siketyan Feb 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions commands/local_server_start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ import (
)

var localWebServerProdWarningMsg = "The local web server is optimized for local development and MUST never be used in a production setup."
var localWebServerTlsKeyLogWarningMsg = "Logging TLS master key is enabled. It means TLS connections between the client and this server will be INSECURE. This is NOT recommended unless you are debugging the connections."

var localServerStartCmd = &console.Command{
Category: "local",
Expand All @@ -68,6 +69,10 @@ var localServerStartCmd = &console.Command{
&console.StringFlag{Name: "p12", Usage: "Name of the file containing the TLS certificate to use in p12 format"},
&console.BoolFlag{Name: "no-tls", Usage: "Use HTTP instead of HTTPS"},
&console.BoolFlag{Name: "use-gzip", Usage: "Use GZIP"},
&console.StringFlag{
Name: "tls-key-log-file",
Usage: "Destination for TLS master secrets in NSS key log format",
},
},
Action: func(c *console.Context) error {
ui := terminal.SymfonyStyle(terminal.Stdout, terminal.Stdin)
Expand Down Expand Up @@ -169,6 +174,17 @@ var localServerStartCmd = &console.Command{
}
}

// If 'SSLKEYLOGFILE' environment variable is set, uses this as a destination of TLS key log.
// In this context, the name 'SSLKEYLOGFILE' is common, so using 'SSL' instead of 'TLS' name.
// This environment variable is preferred than the key log file from the console argument.
if path := os.Getenv("SSLKEYLOGFILE"); path != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's possible to let console take care of this by specifying EnvVars on the associated flags.
See #268

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not know about flags handling environment variables.
Thank you for the refactoring!

config.TlsKeyLogFile = path
}

if config.TlsKeyLogFile != "" {
ui.Warning(localWebServerTlsKeyLogWarningMsg)
}

lw, err := pidFile.LogWriter()
if err != nil {
return err
Expand Down
13 changes: 13 additions & 0 deletions local/http/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ package http
import (
"crypto/tls"
"fmt"
"io"
"net"
"net/http"
"os"
Expand Down Expand Up @@ -53,6 +54,7 @@ type Server struct {
Logger zerolog.Logger
Appversion string
UseGzip bool
TlsKeyLogFile string

httpserver *http.Server
httpsserver *http.Server
Expand Down Expand Up @@ -111,13 +113,24 @@ func (s *Server) Start(errChan chan error) (int, error) {
return port, errors.WithStack(err)
}

var keyLogWriter io.Writer
if s.TlsKeyLogFile != "" {
w, err := os.OpenFile(s.TlsKeyLogFile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
if err != nil {
return port, errors.WithStack(err)
}

keyLogWriter = w
}

s.httpsserver = &http.Server{
Handler: proxyHandler,
TLSConfig: &tls.Config{
PreferServerCipherSuites: true,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
Certificates: []tls.Certificate{cert},
NextProtos: []string{"h2", "http/1.1"},
KeyLogWriter: keyLogWriter,
},
}

Expand Down
13 changes: 8 additions & 5 deletions local/project/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,11 @@ type Config struct {
PKCS12 string `yaml:"p12"`
Logger zerolog.Logger
AppVersion string
AllowHTTP bool `yaml:"allow_http"`
NoTLS bool `yaml:"no_tls"`
Daemon bool `yaml:"daemon"`
UseGzip bool `yaml:"use_gzip"`
AllowHTTP bool `yaml:"allow_http"`
NoTLS bool `yaml:"no_tls"`
Daemon bool `yaml:"daemon"`
UseGzip bool `yaml:"use_gzip"`
TlsKeyLogFile string `yaml:"tls_key_log_file"`
}

type FileConfig struct {
Expand Down Expand Up @@ -104,10 +105,12 @@ func NewConfigFromContext(c *console.Context, projectDir string) (*Config, *File
if c.IsSet("daemon") {
config.Daemon = c.Bool("daemon")
}

if c.IsSet("use-gzip") {
config.UseGzip = c.Bool("use-gzip")
}
if c.IsSet("tls-key-log-file") {
config.TlsKeyLogFile = c.String("tls-key-log-file")
}

return config, fileConfig, nil
}
Expand Down
1 change: 1 addition & 0 deletions local/project/project.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ func New(c *Config) (*Project, error) {
AllowHTTP: c.AllowHTTP,
UseGzip: c.UseGzip,
Appversion: c.AppVersion,
TlsKeyLogFile: c.TlsKeyLogFile,
},
}
if err != nil {
Expand Down
0