Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL keylog with QUIC #35339

Open
bkeshari opened this issue Jul 22, 2024 · 8 comments
Open

Support SSL keylog with QUIC #35339

bkeshari opened this issue Jul 22, 2024 · 8 comments
Labels
area/quic enhancement Feature requests. Not bugs or questions. no stalebot Disables stalebot from closing an issue

Comments

@bkeshari
Copy link

bkeshari commented Jul 22, 2024
edited
Loading

Support SSL keylog with QUIC

Currently, although the 'key_log' configuration is accepted without any errors or warnings, it doesn't work as expected with QUIC. Only the file gets generated but without any content. This functionality would be very useful for troubleshooting and understanding behaviours/issues.

Example configuration:

- transport_socket:
       name: envoy.transport_sockets.quic
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport
          downstream_tls_context:
            common_tls_context:
              tls_certificates:
              - certificate_chain:
                  filename: ./certs/servercert.pem
                private_key:
                  filename: ./certs/serverkey.pem
              key_log:
                path: ./key_log_file

After discussing with Greg Greenway, this seems to be a known limitation in TLS context config with quic transport sockets ( #25418 ).
@bkeshari bkeshari added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Jul 22, 2024
@ggreenway
Copy link
Contributor

This requires QUICHE to expose an API for enabling keylogging to implement properly. The underlying BoringSSL functionality exists and works, but a QUICHE API is needed so that the keylog callback can have context for keylogging configuration (which file to log to, filtering, etc).

@yanavlasov yanavlasov added area/quic and removed triage Issue requires triage labels Jul 22, 2024
@yanavlasov
Copy link
Contributor

@danzh2010 for more comments

@yanavlasov yanavlasov added the no stalebot Disables stalebot from closing an issue label Jul 22, 2024
@danzh2010
Copy link
Contributor

Thanks for reporting this issue! Yes, it's a missing piece in H3 stack. @bkeshari is it blocking your work? So far, we haven't needed boringSSL key log for debugging SSL issue, but it's not too complicated to add a QUICHE API for that.

@bkeshari
Copy link
Author

Hi @danzh2010, yes its blocking. Thanks for the response/info.

@danzh2010
Copy link
Contributor

Hi @danzh2010, yes its blocking. Thanks for the response/info.

Are you debugging into QUIC handshake failure? QUICHE already put a bunch of boring SSL handshake details into connection close frame. Would those be sufficient?

@ggreenway
Copy link
Contributor

QUICHE already put a bunch of boring SSL handshake details into connection close frame. Would those be sufficient?

Regardless of whether we implement keylogging now, can you provide details about this? It sounds very useful.

@danzh2010
Copy link
Contributor

CONNECTION_CLOSE frame has a reason phrase block which QUICHE populates handshake failure details: https://www.rfc-editor.org/rfc/rfc9000.html#frame-connection-close. A peer can infer handshake issue from that.

If you can access envoy logs, you can enable QUICHE verbose logs via an environment var ENVOY_QUICHE_VERBOSITY.

@ggreenway
Copy link
Contributor

CONNECTION_CLOSE frame has a reason phrase block which QUICHE populates handshake failure details: https://www.rfc-editor.org/rfc/rfc9000.html#frame-connection-close. A peer can infer handshake issue from that.

If you can access envoy logs, you can enable QUICHE verbose logs via an environment var ENVOY_QUICHE_VERBOSITY.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/quic enhancement Feature requests. Not bugs or questions. no stalebot Disables stalebot from closing an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yanavlasov @ggreenway @danzh2010 @bkeshari