Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSLKEYLOGFILE not working with curl-for-win build #13672

Closed
jay opened this issue May 16, 2024 Discussed in #13665 · 7 comments
Closed

SSLKEYLOGFILE not working with curl-for-win build #13672

jay opened this issue May 16, 2024 Discussed in #13665 · 7 comments
Labels
TLS Windows Windows-specific

Comments

@jay
Copy link
Member

jay commented May 16, 2024

From discussion #13665 the reporter @glslang is using the official curl for windows build 8.7.1 64-bit and SSLKEYLOGFILE is not working. A blank file is created and nothing is written.

curl 8.7.1 (x86_64-w64-mingw32) libcurl/8.7.1 LibreSSL/3.9.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 WinIDN libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.0 ngtcp2/1.5.0 nghttp3/1.3.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd

I can reproduce with the same build. curl 8.7.1 with OpenSSL then SSLKEYLOGFILE works so I suspect this is an issue with how we coded it for LibreSSL

@jay jay added Windows Windows-specific TLS labels May 16, 2024
@botovq
Copy link

botovq commented May 16, 2024

LibreSSL doesn't really support the keylog mechanism. The API exists since a number of things don't properly test and guard for it, but it is a noop.

@glslang
Copy link

glslang commented May 16, 2024

And I guess the reason to use LibreSSL on Windows is because it makes for easier builds? Or just a preference in general due to possible security considerations?

jay added a commit to jay/curl that referenced this issue May 17, 2024
- Revert to the legacy TLS 1.2 key logging code for LibreSSL.

Prior to this change if the user specified a filename in the
SSLKEYLOGFILE environment variable and was using LibreSSL 3.5.0+ then
an empty file would be created and no keys would be logged.

This is effectively a revert of e43474b which changed openssl.c to use
SSL_CTX_set_keylog_callback for LibreSSL 3.5.0+. Unfortunately LibreSSL
added that function only as a stub that doesn't actually do anything.

Reported-by: Gonçalo Carvalho

Fixes curl#13672
Closes #xxxx
@jay
Copy link
Member Author

jay commented May 17, 2024

LibreSSL doesn't really support the keylog mechanism. The API exists since a number of things don't properly test and guard for it, but it is a noop.

Thanks, I missed that on review when we enabled support. I am proposing #13682 to revert to the legacy TLS 1.2 logging for LibreSSL. Is there a way we can extract TLS 1.3 secrets with LibreSSL?

And I guess the reason to use LibreSSL on Windows is because it makes for easier builds? Or just a preference in general due to possible security considerations?

There were a number of reasons, see curl/curl-for-win#44

/cc @vszakats

@jay jay closed this as completed in 9aae9bf May 20, 2024
@jshanab
Copy link

jshanab commented Jul 1, 2024

I need the keylog feature and have been trying for days (weeks) to build curl with open ssl on windows successfully.
While I can build it, the resulting build when queried, does not list https protocol so the app fails.

latest try is
cmake -B build -DCURL_ENABLE_SSL=ON -DUSE_LIBSSH2=OFF -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR="C:\Opt\openssl\3.1.0a" -DZLIB_ROOT="C:\Opt\zlib\1.2.11_vc14" -G "Visual Studio 16 2019"

Has anyone got a working openssl (3.1.0a) curl build? or set of working steps?

Is there perhaps a build server in a buidl farm running a build config for this.

@vszakats
Copy link
Member

vszakats commented Jul 1, 2024

You can do your own curl-for-win build by forking its repo and customizing CW_CONFIG with e.g. win-openssl in the respective GHA job. Perhaps that's the easiest.

@vszakats
Copy link
Member

vszakats commented Jul 1, 2024

Perhaps a better example is curl's CI job doing a customized curl-for-win build:

win-llvm:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
path: 'curl'
fetch-depth: 8
- name: 'build'
run: |
git clone --depth 1 https://github.com/curl/curl-for-win
mv curl-for-win/* .
export CW_CONFIG='-main-werror-win-x64'
export CW_REVISION='${{ github.sha }}'
. ./_versions.sh
docker trust inspect --pretty "${DOCKER_IMAGE}"
time docker pull "${DOCKER_IMAGE}"
docker images --digests
time docker run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
--env-file <(env | grep -a -E \
'^(CW_|GITHUB_)') \
"${DOCKER_IMAGE}" \
sh -c ./_ci-linux-debian.sh

You can copy it (almost) as-is into any GitHub project and tweak CW_CONFIG as desired.

Should also be easy to move to non-GitHub host, or local.

@jshanab
Copy link

jshanab commented Jul 2, 2024

I fear I have gone down the wrong path here not realizing curl-wor-win is not MS build. Problem is dependencies also need to be then llvm or mingw and they are used elsewhere.

I just need a working CMAKE invokation line for openssl that uses the Visual Studio Generator. I think this may actually be broken and I do not think it is still being tested as the #defs in the code do not look correct and USE_SSL is not making it from the CMAKE settings into the #defines and the resulting code does not have https support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
TLS Windows Windows-specific
Development

Successfully merging a pull request may close this issue.

5 participants