-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSL keylog with QUIC #35339
Comments
This requires QUICHE to expose an API for enabling keylogging to implement properly. The underlying BoringSSL functionality exists and works, but a QUICHE API is needed so that the keylog callback can have context for keylogging configuration (which file to log to, filtering, etc). |
@danzh2010 for more comments |
Thanks for reporting this issue! Yes, it's a missing piece in H3 stack. @bkeshari is it blocking your work? So far, we haven't needed boringSSL key log for debugging SSL issue, but it's not too complicated to add a QUICHE API for that. |
Hi @danzh2010, yes its blocking. Thanks for the response/info. |
Are you debugging into QUIC handshake failure? QUICHE already put a bunch of boring SSL handshake details into connection close frame. Would those be sufficient? |
Regardless of whether we implement keylogging now, can you provide details about this? It sounds very useful. |
CONNECTION_CLOSE frame has a reason phrase block which QUICHE populates handshake failure details: https://www.rfc-editor.org/rfc/rfc9000.html#frame-connection-close. A peer can infer handshake issue from that. If you can access envoy logs, you can enable QUICHE verbose logs via an environment var ENVOY_QUICHE_VERBOSITY. |
Thanks! |
Support SSL keylog with QUIC
Currently, although the 'key_log' configuration is accepted without any errors or warnings, it doesn't work as expected with QUIC. Only the file gets generated but without any content. This functionality would be very useful for troubleshooting and understanding behaviours/issues.
Example configuration:
After discussing with Greg Greenway, this seems to be a known limitation in TLS context config with quic transport sockets ( #25418 ).
The text was updated successfully, but these errors were encountered: