Skip to content

bpo-34271: Add ssl debugging helpers (GH-10031)#10031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tiran merged 2 commits into from
May 31, 2019
Merged

bpo-34271: Add ssl debugging helpers (GH-10031) #10031

tiran merged 2 commits into from
May 31, 2019

Conversation

@tiran
Copy link
Member

@tirantiran commented Oct 21, 2018
edited by bedevere-bot
Loading

The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

  • API review
  • whatsnew entry
  • More tests

https://bugs.python.org/issue34271

@tirantiran requested review from njsmith and zoobaOctober 21, 2018 15:42
@jmfrank63
Copy link

jmfrank63 commented Oct 24, 2018

I made a first test setting the env variable SSLKEYLOGFILE from python and creating the file from there as well. Currently the ~ resolution does not seem to work, but besides that using the simple client socket example from the ssl docs I was able to grab the keys and log them into the file the env variable was pointing to. I was on a Mac and installed [email protected] via homebrew.

@tiran
Copy link
MemberAuthor

tiran commented Oct 24, 2018

The SSLKEYLOGFILE only works, if you

  • have OpenSSL 1.1.1 installed. OpenSSL 1.1.0 or 1.0.2 don't have a keylog callback API. Linux distributions like Debian and Fedora just started to include 1.1.1 in their latest test versions.
  • use ssl.create_default_context(). A custom ssl.SSLContext doesn't use SSLKEYLOGFILE.

I decided against expanding ~ to user's home directory, because neither curl nor NSS expand them.

@jmfrank63
Copy link

jmfrank63 commented Oct 29, 2018

I wrote some basic examples showing this works very well. Thanks to https://github.com/jmfrank63/ssl-examples/commits?author=nikosgraser for providing the requests example.

@tirantiranforce-pushed the bpo-34271-ssldebug branch 3 times, most recently from e938b5b to 3f17e9fCompareMay 29, 2019 09:42
@tiran
Copy link
MemberAuthor

tiran commented May 29, 2019

@zooba Could you please do me a favor and try the patch on Windows? One of the test cases is failing on Windows and I don't understand why.

====================================================================== FAIL: test_keylog_env (test.test_ssl.TestSSLDebug) ---------------------------------------------------------------------- Traceback (most recent call last): File "C:\projects\cpython\lib\test\test_ssl.py", line 4488, in test_keylog_env self.assertEqual(ctx.keylog_filename, support.TESTFN) AssertionError: None != '@test_4872_tmp' ----------------------------------------------------------------------

@tirantiran changed the title [WIP] bpo-34271: Add ssl debugging helpersbpo-34271: Add ssl debugging helpersMay 29, 2019
@tirantiranforce-pushed the bpo-34271-ssldebug branch 4 times, most recently from ea3fd14 to 8bbb6dfCompareMay 30, 2019 12:50
@tiran
Copy link
MemberAuthor

tiran commented May 30, 2019

@zooba One Windows test case was failing because ignore_environment flag was set. I'm now skipping the test case if the flag is set.

@tirantiran requested a review from vstinnerMay 30, 2019 20:55
reaperhulk
reaperhulk reviewed May 30, 2019
View reviewed changes
tiran added 2 commits May 31, 2019 11:25
@tiran
bpo-34271: Add ssl debugging helpers
16fa504
The ssl module now can dump key material to a keylog file and trace TLS protocol messages with a tracing callback. The default and stdlib contexts also support SSLKEYLOGFILE env var.
@tiran
Make msg_callback a private debug function
9bbf7a4
The msg_callback and related enums are now private members. The feature is designed for internal debugging and not for end users. Signed-off-by: Christian Heimes <[email protected]>
@tirantiranforce-pushed the bpo-34271-ssldebug branch from 1894a5e to 9bbf7a4CompareMay 31, 2019 09:25
@tirantiran changed the title bpo-34271: Add ssl debugging helpersbpo-34271: Add ssl debugging helpers (GH-10031)May 31, 2019
@tirantiran merged commit c7f7069 into python:masterMay 31, 2019
@tirantiran deleted the bpo-34271-ssldebug branch May 31, 2019 09:44
DinoV pushed a commit to DinoV/cpython that referenced this pull request Jan 14, 2020
@tiran@DinoV
bpo-34271: Add ssl debugging helpers (pythonGH-10031)
9ace740
The ssl module now can dump key material to a keylog file and trace TLS protocol messages with a tracing callback. The default and stdlib contexts also support SSLKEYLOGFILE env var. The msg_callback and related enums are private members. The feature is designed for internal debugging and not for end users. Signed-off-by: Christian Heimes <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@njsmithnjsmithAwaiting requested review from njsmith

@zoobazoobaAwaiting requested review from zooba

@vstinnervstinnerAwaiting requested review from vstinner

1 more reviewer

@reaperhulkreaperhulkreaperhulk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tiran@jmfrank63@reaperhulk@the-knights-who-say-ni@bedevere-bot