No way to set ENABLE_SSLKEYLOGFILE #2210

Closed
grosch opened this Issue Jan 2, 2018 · 7 comments

Comments

Projects
None yet
3 participants

grosch commented Jan 2, 2018

Would you please add a configure option to enable the ENABLE_SSLKEYLOGFILE setting? It's not there right now, which means when I install on my mac via homebrew I have no way to tell it that I really really want that compiled in :(

grosch commented Jan 2, 2018

I tried setting the CPPFLAGS environment variable to -DENABLE_SSLKEYLOGFILE=1 before compiling curl but that doesn't seem to have done it. I reinstalled curl and php via homebrew and then ran my command, but nothing got written to the $SSLKEYLOGFILE path

@jay jay added the build label Jan 2, 2018

Owner

jay commented Jan 2, 2018

ENABLE_SSLKEYLOGFILE should work for OpenSSL and derivatives BoringSSL and LibreSSL. We only tested it with OpenSSL though. It should be enough to add -DENABLE_SSLKEYLOGFILE. What is your curl -V?

grosch commented Jan 2, 2018

I'm using TLS

curl 7.57.0 (x86_64-apple-darwin17.3.0) libcurl/7.57.0 OpenSSL/1.0.2n zlib/1.2.11 nghttp2/1.29.0
Release-Date: 2017-11-29
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy

Owner

jay commented Jan 3, 2018

I can't reproduce this. I did CPPFLAGS=-DENABLE_SSLKEYLOGFILE ../configure ...
Either make V=1 and check for ENABLE_SSLKEYLOGFILE or in openssl.c put #error in #ifdef SSLKEYLOGFILE section to see if it's actually added, or add some printfs to debug

grosch commented Jan 5, 2018

Looks like homebrew isn't actually building it, and when I build via homebrew it still doesn't take. Is there an ETA to just have it enabled by default in a version coming out soon? I don't need it that bad that it's worth fighting it if it'll be the default soon.

Owner

jay commented Jan 6, 2018

Looks like homebrew isn't actually building it, and when I build via homebrew it still doesn't take. Is there an ETA to just have it enabled by default in a version coming out soon?

No I think I backed away from making it the default because I was concerned about security, or something like that. I would try to find out why it doesn't take when you build curl in homebrew, but that's something you'll have to ask them about.

Owner

bagder commented Jan 8, 2018

Enabling SSLKEYLOGFILE support by default should not be a security problem. Browsers already do this.

@bagder bagder closed this in 84fcaa2 Jan 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment