SSLKEYLOGFILE not working with curl-for-win build

[jay]

From discussion #13665 the reporter @glslang is using the official curl for windows build 8.7.1 64-bit and SSLKEYLOGFILE is not working. A blank file is created and nothing is written.

curl 8.7.1 (x86_64-w64-mingw32) libcurl/8.7.1 LibreSSL/3.9.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 WinIDN libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.0 ngtcp2/1.5.0 nghttp3/1.3.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd

I can reproduce with the same build. curl 8.7.1 with OpenSSL then SSLKEYLOGFILE works so I suspect this is an issue with how we coded it for LibreSSL

[botovq]

LibreSSL doesn't really support the keylog mechanism. The API exists since a number of things don't properly test and guard for it, but it is a noop.

[glslang]

And I guess the reason to use LibreSSL on Windows is because it makes for easier builds? Or just a preference in general due to possible security considerations?

[jay]

LibreSSL doesn't really support the keylog mechanism. The API exists since a number of things don't properly test and guard for it, but it is a noop.

Thanks, I missed that on review when we enabled support. I am proposing #13682 to revert to the legacy TLS 1.2 logging for LibreSSL. Is there a way we can extract TLS 1.3 secrets with LibreSSL?

And I guess the reason to use LibreSSL on Windows is because it makes for easier builds? Or just a preference in general due to possible security considerations?

There were a number of reasons, see curl/curl-for-win#44

/cc @vszakats

[jshanab]

I need the keylog feature and have been trying for days (weeks) to build curl with open ssl on windows successfully.
While I can build it, the resulting build when queried, does not list https protocol so the app fails.

latest try is
cmake -B build -DCURL_ENABLE_SSL=ON -DUSE_LIBSSH2=OFF -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR="C:\Opt\openssl\3.1.0a" -DZLIB_ROOT="C:\Opt\zlib\1.2.11_vc14" -G "Visual Studio 16 2019"

Has anyone got a working openssl (3.1.0a) curl build? or set of working steps?

Is there perhaps a build server in a buidl farm running a build config for this.

[vszakats]

You can do your own curl-for-win build by forking its repo and customizing CW_CONFIG with e.g. win-openssl in the respective GHA job. Perhaps that's the easiest.

[vszakats]

Perhaps a better example is curl's CI job doing a customized curl-for-win build:

curl/.github/workflows/curl-for-win.yml

Lines 72 to 93 in ca6b05b

	win-llvm:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
	with:
	path: 'curl'
	fetch-depth: 8
	- name: 'build'
	run: |
	git clone --depth 1 https://github.com/curl/curl-for-win
	mv curl-for-win/* .
	export CW_CONFIG='-main-werror-win-x64'
	export CW_REVISION='${{ github.sha }}'
	. ./_versions.sh
	docker trust inspect --pretty "${DOCKER_IMAGE}"
	time docker pull "${DOCKER_IMAGE}"
	docker images --digests
	time docker run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
	--env-file <(env | grep -a -E \
	'^(CW_|GITHUB_)') \
	"${DOCKER_IMAGE}" \
	sh -c ./_ci-linux-debian.sh

You can copy it (almost) as-is into any GitHub project and tweak CW_CONFIG as desired.

Should also be easy to move to non-GitHub host, or local.

[jshanab]

I fear I have gone down the wrong path here not realizing curl-wor-win is not MS build. Problem is dependencies also need to be then llvm or mingw and they are used elsewhere.

I just need a working CMAKE invokation line for openssl that uses the Visual Studio Generator. I think this may actually be broken and I do not think it is still being tested as the #defs in the code do not look correct and USE_SSL is not making it from the CMAKE settings into the #defines and the resulting code does not have https support.

[mmoser18]

Any news on this? I just bumped into the same issue. I need to debug a communication over TLS (capturing it using Wireshark) and that is not working with curl on Windows since the keys are not showing up in the file designated via SSLKEYLOGFILE. :-(
This is using

curl 8.9.1 (Windows) libcurl/8.9.1 Schannel zlib/1.3 WinIDN
Release-Date: 2024-07-31
...

[vszakats]

curl 8.9.1 (Windows) libcurl/8.9.1 Schannel zlib/1.3 WinIDN
Release-Date: 2024-07-31

This thread is about the curl-for-win official curl build. What you are using is the Microsoft-supplied build, with Schannel, and Schannel doesn't support SSLKEYLOGFILE.

[jshanab]

Unfortunately I spent an entire weekend on this and building anything other than SChannel is no longer tested or supported. I could not find a working openssl build or build it with the options needed for use. Deep dependency errors and way to much work. :-(

[vszakats]

Have you tried the official curl builds over https://curl.se/windows ?

(edit: curl-for-win uses LibreSSL, which also doesn't support this.)

[jshanab]

I cannot remember exactly what, but it was stripped down and was missing a basic functionality which sent me down the build it rabbit hole that never ended. I just switched to linux and was done in 5 min 4 of which I went to get coffee. Windows is not "Seriously" support. Sorry I did not document exactly what, it was a while ago.

[mmoser18]

@jshanab

This thread is about the curl-for-win official curl build. What you are using is the Microsoft-supplied build, with Schannel, and Schannel doesn't support SSLKEYLOGFILE.

Thanks for clarifying. I hadn't realized that. I had come here via a Google search re. "curl" and "SSLKEYLOGFILE not working" not knowing that there are different implementations or builds around.

[luisabreu]

Hello guys.

I'm trying to run curl for windows from Powershell and I'd like to capture the master key used for TLS encoding. To do that, I'm setting the SSLKEYLOGFILE env variable, but the corresponding SSLKEYLOGFILE file is always empty (oie, the file is created but it's never populated). Here's what' I've done:

• Download curl for windows x64 from here
• create an alias for my Powershell profile: set-alias curl d:\...\bin\curl.exe
• checked to see if curl references the correct version (it does)
• tried to save the master key used for TLS with the following one liner: pwsh -command {$env:SSLKEYLOGFILE='sslkey.log'; curl -s "https://somesite.org"}

As I've said, the file is created, but it's always empty. Am I missing something? I mean, in Linux (bash/zsh) it works with something like SSLKEYLOGFILE=sslog curl -s "https://somesite.org"...

Thanks.

[vszakats]

curl uses LibreSSL and LibreSSL misses support for SSLKEYLOGFILE.

Building a custom curl with a different OpenSSL [fork] is necessary to have this feature.