Il giorno lun 5 mag 2025 alle ore 22:20 Theo Buehler <tb@theobuehler.org>
ha scritto:

> On Mon, May 05, 2025 at 10:03:35PM +0200, LWS wrote:
> > So I don't understand why they should not be supported by libssl.
>
> The software uses python bindings to libssl. libssl establishes the keys,
> so it must support the keylog functionality for the software to be able
> use it. Since libssl doesn't support it, the mitm softare can't.
>
> Specifically, it tries uses this function if the env var is set:
>
> https://man.openbsd.org/SSL_CTX_set_keylog_callback
>
> Since the function does nothing, SSLKEYLOG doesn't work.
>
>
ok, thank you. Very kind indeed. Now everything is perfectly clear.



> > I know that the variable has been disabled in firefox for security
> reasons,
> > but not in chromium.
>
> The SSLKEYLOG functionality is controversial. People expect it to be
> available just because some popular implementations decided to add it.
>

So it is an openbsd decision although it is not clear to me if it is a
security
design decision or rather a standards adherence decision, since it seems to
me
that the software that implements this feature does it outside the
standards.
My idea was to pass my traffic to mitmproxy and then forward it to
suricata..
but it seems that mitmproxy does not support pcap. So I thought of
exporting the key
and then using wireshark to decrypt the traffic and then pass it to
suricata.
But this path is also not viable.

Anyway, thank you very much.