Skip to content

Add support for SSLKEYLOGFILE #4634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kamilwaz merged 2 commits into from
Feb 3, 2026
Merged

Add support for SSLKEYLOGFILE #4634

kamilwaz merged 2 commits into from
Feb 3, 2026

Conversation

@kamilwaz
Copy link
Contributor

@kamilwaz kamilwaz commented Jan 30, 2026

This PR adds support for the SSLKEYLOGFILE environment variable. Enabling tls.keep_secrets is required for this to work.

@kamilwaz kamilwaz self-assigned this Jan 30, 2026
@mongoose-im
Copy link
Collaborator

mongoose-im commented Jan 30, 2026
edited
Loading

CircleCI results for 159d78b

elasticsearch_and_cassandra_latest / elasticsearch_and_cassandra_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 683 / Failed: 0 / User-skipped: 72 / Auto-skipped: 0

small_tests_legacy / small_tests / 5ac3115
Reports root / small

small_tests_latest / small_tests / 5ac3115
Reports root / small

small_tests_latest_arm64 / small_tests / 5ac3115
Reports root / small

ldap_mnesia_legacy / ldap_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 2397 / Failed: 0 / User-skipped: 1414 / Auto-skipped: 0

ldap_mnesia_latest / ldap_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 2397 / Failed: 0 / User-skipped: 1414 / Auto-skipped: 0

dynamic_domains_mysql_redis_latest / mysql_redis / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5272 / Failed: 0 / User-skipped: 158 / Auto-skipped: 0

internal_mnesia_latest / internal_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 2545 / Failed: 0 / User-skipped: 1266 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_legacy / pgsql_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5308 / Failed: 0 / User-skipped: 122 / Auto-skipped: 0

pgsql_cets_latest / pgsql_cets / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5397 / Failed: 0 / User-skipped: 203 / Auto-skipped: 0

mysql_redis_latest / mysql_redis / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5693 / Failed: 0 / User-skipped: 150 / Auto-skipped: 0

cockroachdb_cets_latest / cockroachdb_cets / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5397 / Failed: 0 / User-skipped: 203 / Auto-skipped: 0

pgsql_mnesia_latest / pgsql_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5701 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

pgsql_mnesia_legacy / pgsql_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5701 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_latest / pgsql_mnesia / 5ac3115
Status: 🟢 Passed
Reports root/ big
OK: 5308 / Failed: 0 / User-skipped: 122 / Auto-skipped: 0

@codecov
Copy link

codecov bot commented Jan 30, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 86.04%. Comparing base (8fa7d85) to head (5ac3115).
⚠️ Report is 10 commits behind head on master.

Files with missing lines Patch % Lines
src/just_tls.erl 90.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4634      +/-   ##
==========================================
+ Coverage   86.03%   86.04%   +0.01%     
==========================================
  Files         566      566              
  Lines       33926    33926              
==========================================
+ Hits        29187    29192       +5     
+ Misses       4739     4734       -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kamilwaz kamilwaz marked this pull request as ready for review January 30, 2026 13:15
@fen-pl fen-pl requested a review from Copilot January 30, 2026 15:02
Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for logging TLS session secrets to a file via the SSLKEYLOGFILE environment variable when tls.keep_secrets = true, enabling external tools (e.g., Wireshark) to decrypt captured TLS traffic.

Changes:

  • Extend TLS config schema and parser to accept keep_secrets.
  • Implement SSLKEYLOGFILE-driven key logging in just_tls.
  • Add documentation and an end-to-end big test verifying that secrets are written.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
test/config_parser_SUITE.erl Adds config-parser coverage for the new tls.keep_secrets option.
src/just_tls.erl Implements conditional TLS key logging based on keep_secrets + SSLKEYLOGFILE.
src/config/mongoose_config_spec.erl Adds keep_secrets to the TLS(common) config spec.
doc/listeners/listen-c2s.md Documents listen.c2s.tls.keep_secrets and its security implications.
big_tests/tests/connect_SUITE.erl Adds a new test group and test case to verify keylog output.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

kamilwaz
kamilwaz commented Feb 2, 2026
View reviewed changes
chrzaszcz
chrzaszcz requested changes Feb 2, 2026
View reviewed changes
Copy link
Member

@chrzaszcz chrzaszcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a few comments.

@kamilwaz kamilwaz requested a review from chrzaszcz February 2, 2026 15:18
chrzaszcz
chrzaszcz approved these changes Feb 3, 2026
View reviewed changes
Copy link
Member

@chrzaszcz chrzaszcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good, thanks for the corrections 👍

@kamilwaz kamilwaz merged commit 30de7f9 into master Feb 3, 2026
4 checks passed
@kamilwaz kamilwaz deleted the sslkeylog branch February 3, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chrzaszcz chrzaszcz chrzaszcz approved these changes

@tomaszwojcikowski tomaszwojcikowski tomaszwojcikowski approved these changes

Assignees

@kamilwaz kamilwaz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kamilwaz @mongoose-im @chrzaszcz @tomaszwojcikowski