Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpo-34271: Add ssl debugging helpers (GH-10031) #10031

Merged
merged 2 commits into from May 31, 2019

Conversation

@tiran
Copy link
Member

tiran commented Oct 21, 2018

The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

  • API review
  • whatsnew entry
  • More tests

https://bugs.python.org/issue34271

@jmfrank63

This comment has been minimized.

Copy link

jmfrank63 commented Oct 24, 2018

I made a first test setting the env variable SSLKEYLOGFILE from python and creating the file from there as well. Currently the ~ resolution does not seem to work, but besides that using the simple client socket example from the ssl docs I was able to grab the keys and log them into the file the env variable was pointing to. I was on a Mac and installed openssl@1.1 via homebrew.

@tiran

This comment has been minimized.

Copy link
Member Author

tiran commented Oct 24, 2018

The SSLKEYLOGFILE only works, if you

  • have OpenSSL 1.1.1 installed. OpenSSL 1.1.0 or 1.0.2 don't have a keylog callback API. Linux distributions like Debian and Fedora just started to include 1.1.1 in their latest test versions.
  • use ssl.create_default_context(). A custom ssl.SSLContext doesn't use SSLKEYLOGFILE.

I decided against expanding ~ to user's home directory, because neither curl nor NSS expand them.

@jmfrank63

This comment has been minimized.

Copy link

jmfrank63 commented Oct 29, 2018

I wrote some basic examples showing this works very well. Thanks to https://github.com/jmfrank63/ssl-examples/commits?author=nikosgraser for providing the requests example.

@tiran tiran force-pushed the tiran:bpo-34271-ssldebug branch 3 times, most recently from e938b5b to 3f17e9f May 28, 2019
@tiran tiran removed the DO-NOT-MERGE label May 29, 2019
@tiran

This comment has been minimized.

Copy link
Member Author

tiran commented May 29, 2019

@zooba Could you please do me a favor and try the patch on Windows? One of the test cases is failing on Windows and I don't understand why.

======================================================================
FAIL: test_keylog_env (test.test_ssl.TestSSLDebug)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\projects\cpython\lib\test\test_ssl.py", line 4488, in test_keylog_env
    self.assertEqual(ctx.keylog_filename, support.TESTFN)
AssertionError: None != '@test_4872_tmp'
----------------------------------------------------------------------
@tiran tiran changed the title [WIP] bpo-34271: Add ssl debugging helpers bpo-34271: Add ssl debugging helpers May 29, 2019
@tiran tiran force-pushed the tiran:bpo-34271-ssldebug branch 4 times, most recently from ea3fd14 to 8bbb6df May 30, 2019
@tiran

This comment has been minimized.

Copy link
Member Author

tiran commented May 30, 2019

@zooba One Windows test case was failing because ignore_environment flag was set. I'm now skipping the test case if the flag is set.

@tiran tiran requested a review from vstinner May 30, 2019
Doc/library/ssl.rst Outdated Show resolved Hide resolved
tiran added 2 commits Oct 18, 2018
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.
The msg_callback and related enums are now private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes <christian@python.org>
@tiran tiran force-pushed the tiran:bpo-34271-ssldebug branch from 1894a5e to 9bbf7a4 May 31, 2019
@tiran tiran changed the title bpo-34271: Add ssl debugging helpers bpo-34271: Add ssl debugging helpers (GH-10031) May 31, 2019
@tiran tiran merged commit c7f7069 into python:master May 31, 2019
5 checks passed
5 checks passed
Azure Pipelines PR #20190531.17 succeeded
Details
bedevere/issue-number Issue number 34271 found
Details
bedevere/news News entry found in Misc/NEWS.d
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@tiran tiran deleted the tiran:bpo-34271-ssldebug branch May 31, 2019
DinoV added a commit to DinoV/cpython that referenced this pull request Jan 14, 2020
The ssl module now can dump key material to a keylog file and trace TLS
protocol messages with a tracing callback. The default and stdlib
contexts also support SSLKEYLOGFILE env var.

The msg_callback and related enums are private members. The feature
is designed for internal debugging and not for end users.

Signed-off-by: Christian Heimes <christian@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.