Support SSL_CTX_set_keylog_callback

SSL_CTX_set_keylog_callback() sets the TLS key logging callback. This callback is called whenever TLS key material is generated or received, in order to allow applications to store this keying material for debugging purposes. Manpage OpenSSL: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_keylog_callback.html SSL_CTX_set_keylog_callback is added to OpenSSL_1_1_1-pre1 openssl/openssl@2faa1b4 Debugging use-case: Use Wireshark to inspect the MQTT connection at the packet level. It is helpful to decrypt the TLS packets. For this Wireshark needs the (Pre-) Master Secret. With this commit you can set the environment variable SSLKEYLOGFILE, give Wireshark the file and examine the decrypted MQTT packets. https://wiki.wireshark.org/TLS Signed-off-by: Patrick Mueller <[email protected]>
eclipse-paho · Apr 24, 2023 · 2b976c1 · 2b976c1
1 parent ade43fb
commit 2b976c1
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/SSLSocket.c b/src/SSLSocket.c
@@ -325,6 +325,21 @@ The user-defined argument optionally defined by SSL_CTX_set_msg_callback_arg() o
 		content_type, (int)len);
 }
 
+void SSL_CTX_keylog_callback(const SSL *ssl, const char *line)
+{
+	const char* sslkeylogfile = getenv("SSLKEYLOGFILE");
+	if (sslkeylogfile)
+	{
+		FILE *fptr;
+
+		fptr = fopen(sslkeylogfile, "at");
+		if (fptr)
+		{
+			fprintf(fptr, "%s\n", line);
+			fclose(fptr);
+		}
+	}
+}
 
 int pem_passwd_cb(char* buf, int size, int rwflag, void* userdata)
 {
@@ -719,6 +734,9 @@ int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts,
 		char *hostname_plus_null;
 		int i;
 
+		#if (OPENSSL_VERSION_NUMBER >= 0x010101000) /* 1.1.1 and later */
+			SSL_CTX_set_keylog_callback(net->ctx, SSL_CTX_keylog_callback);
+		#endif
 		SSL_CTX_set_info_callback(net->ctx, SSL_CTX_info_callback);
 		SSL_CTX_set_msg_callback(net->ctx, SSL_CTX_msg_callback);
    		if (opts->enableServerCertAuth)