From 0c26d1637a8628425476f09c6f27bdbc15116d06 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 24 May 2023 09:20:58 +0200 Subject: [PATCH] Add suport for TLS key logging --- dnscrypt-proxy/config.go | 12 ++++++++++++ dnscrypt-proxy/example-dnscrypt-proxy.toml | 8 ++++++++ dnscrypt-proxy/xtransport.go | 6 ++++++ 3 files changed, 26 insertions(+) diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go index ff5c1c4933..e9d99d5a3a 100644 --- a/dnscrypt-proxy/config.go +++ b/dnscrypt-proxy/config.go @@ -92,6 +92,7 @@ type Config struct { LogMaxBackups int `toml:"log_files_max_backups"` TLSDisableSessionTickets bool `toml:"tls_disable_session_tickets"` TLSCipherSuite []uint16 `toml:"tls_cipher_suite"` + TLSKeyLogFile string `toml:"tls_key_log_file"` NetprobeAddress string `toml:"netprobe_address"` NetprobeTimeout int `toml:"netprobe_timeout"` OfflineMode bool `toml:"offline_mode"` @@ -143,6 +144,7 @@ func newConfig() Config { LogMaxBackups: 1, TLSDisableSessionTickets: false, TLSCipherSuite: nil, + TLSKeyLogFile: "", NetprobeTimeout: 60, OfflineMode: false, RefusedCodeInResponses: false, @@ -628,6 +630,16 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error { proxy.skipAnonIncompatibleResolvers = config.AnonymizedDNS.SkipIncompatible proxy.anonDirectCertFallback = config.AnonymizedDNS.DirectCertFallback + if len(config.TLSKeyLogFile) > 0 { + f, err := os.OpenFile(config.TLSKeyLogFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600) + if err != nil { + dlog.Fatalf("Unable to create key log file [%s]: [%s]", config.TLSKeyLogFile, err) + } + dlog.Warnf("TLS key log file [%s] enabled", config.TLSKeyLogFile) + proxy.xTransport.keyLogWriter = f + proxy.xTransport.rebuildTransport() + } + if config.DoHClientX509AuthLegacy.Creds != nil { return errors.New("[tls_client_auth] has been renamed to [doh_client_x509_auth] - Update your config file") } diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml index 1c027014e7..f9e518619c 100644 --- a/dnscrypt-proxy/example-dnscrypt-proxy.toml +++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml @@ -223,6 +223,14 @@ cert_refresh_delay = 240 # tls_cipher_suite = [52392, 49199] +## Log TLS key material to a file, for debugging purposes only. +## This file will contain the TLS master key, which can be used to decrypt +## all TLS traffic to/from DoH servers. +## Never ever enable except for debugging purposes with a tool such as mitmproxy. + +# tls_key_log_file = '/tmp/keylog.txt' + + ## Bootstrap resolvers ## ## These are normal, non-encrypted DNS resolvers, that will be only used diff --git a/dnscrypt-proxy/xtransport.go b/dnscrypt-proxy/xtransport.go index 4a2925937e..b30d362e1a 100644 --- a/dnscrypt-proxy/xtransport.go +++ b/dnscrypt-proxy/xtransport.go @@ -75,6 +75,7 @@ type XTransport struct { proxyDialer *netproxy.Dialer httpProxyFunction func(*http.Request) (*url.URL, error) tlsClientCreds DOHClientCreds + keyLogWriter io.Writer } func NewXTransport() *XTransport { @@ -93,6 +94,7 @@ func NewXTransport() *XTransport { useIPv6: false, tlsDisableSessionTickets: false, tlsCipherSuite: nil, + keyLogWriter: nil, } return &xTransport } @@ -187,6 +189,10 @@ func (xTransport *XTransport) rebuildTransport() { tlsClientConfig := tls.Config{} certPool, certPoolErr := x509.SystemCertPool() + if xTransport.keyLogWriter != nil { + tlsClientConfig.KeyLogWriter = xTransport.keyLogWriter + } + if clientCreds.rootCA != "" { if certPool == nil { dlog.Fatalf("Additional CAs not supported on this platform: %v", certPoolErr)