|
 |
26c8e2 |
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
|
|
|
26c8e2 |
index 1d201d9..0c4bf1f 100644
|
|
|
26c8e2 |
--- a/modules/ssl/ssl_engine_config.c
|
|
|
26c8e2 |
+++ b/modules/ssl/ssl_engine_config.c
|
|
|
26c8e2 |
@@ -75,6 +75,10 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
|
|
|
26c8e2 |
mc->stapling_refresh_mutex = NULL;
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
|
|
|
26c8e2 |
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+ mc->keylog_file = NULL;
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
|
|
|
26c8e2 |
apr_pool_cleanup_null,
|
|
|
26c8e2 |
pool);
|
|
|
26c8e2 |
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
|
26c8e2 |
index ef631c1..b286053 100644
|
|
|
26c8e2 |
--- a/modules/ssl/ssl_engine_init.c
|
|
|
26c8e2 |
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
26c8e2 |
@@ -437,6 +437,28 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
|
26c8e2 |
init_bio_methods();
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
|
|
|
26c8e2 |
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+ {
|
|
|
26c8e2 |
+ const char *logfn = getenv("SSLKEYLOGFILE");
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+ if (logfn) {
|
|
|
26c8e2 |
+ rv = apr_file_open(&mc->keylog_file, logfn,
|
|
|
26c8e2 |
+ APR_FOPEN_CREATE|APR_FOPEN_WRITE|APR_FOPEN_APPEND|APR_FOPEN_LARGEFILE,
|
|
|
26c8e2 |
+ APR_FPROT_UREAD|APR_FPROT_UWRITE,
|
|
|
26c8e2 |
+ mc->pPool);
|
|
|
26c8e2 |
+ if (rv) {
|
|
|
26c8e2 |
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, APLOGNO(10226)
|
|
|
26c8e2 |
+ "Could not open log file '%s' configured via SSLKEYLOGFILE",
|
|
|
26c8e2 |
+ logfn);
|
|
|
26c8e2 |
+ return rv;
|
|
|
26c8e2 |
+ }
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10227)
|
|
|
26c8e2 |
+ "Init: Logging SSL private key material to %s", logfn);
|
|
|
26c8e2 |
+ }
|
|
|
26c8e2 |
+ }
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
return OK;
|
|
|
26c8e2 |
}
|
|
|
26c8e2 |
|
|
|
26c8e2 |
@@ -796,6 +818,12 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
|
|
|
26c8e2 |
* https://github.com/openssl/openssl/issues/7178 */
|
|
|
26c8e2 |
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+ if (mctx->sc->mc->keylog_file) {
|
|
|
26c8e2 |
+ SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog);
|
|
|
26c8e2 |
+ }
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
|
|
|
26c8e2 |
return APR_SUCCESS;
|
|
|
26c8e2 |
}
|
|
|
26c8e2 |
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
|
|
|
26c8e2 |
index 6611610..7058865 100644
|
|
|
26c8e2 |
--- a/modules/ssl/ssl_engine_kernel.c
|
|
|
26c8e2 |
+++ b/modules/ssl/ssl_engine_kernel.c
|
|
|
26c8e2 |
@@ -2719,3 +2719,17 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
|
|
|
26c8e2 |
}
|
|
|
26c8e2 |
|
|
|
26c8e2 |
#endif /* HAVE_SRP */
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+/* Callback used with SSL_CTX_set_keylog_callback. */
|
|
|
26c8e2 |
+void modssl_callback_keylog(const SSL *ssl, const char *line)
|
|
|
26c8e2 |
+{
|
|
|
26c8e2 |
+ conn_rec *conn = SSL_get_app_data(ssl);
|
|
|
26c8e2 |
+ SSLSrvConfigRec *sc = mySrvConfig(conn->base_server);
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+ if (sc && sc->mc->keylog_file) {
|
|
|
26c8e2 |
+ apr_file_printf(sc->mc->keylog_file, "%s\n", line);
|
|
|
26c8e2 |
+ }
|
|
|
26c8e2 |
+}
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
|
|
|
26c8e2 |
index 0fac5d1..2514407 100644
|
|
|
26c8e2 |
--- a/modules/ssl/ssl_private.h
|
|
|
26c8e2 |
+++ b/modules/ssl/ssl_private.h
|
|
|
26c8e2 |
@@ -250,6 +250,10 @@ void free_bio_methods(void);
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
|
|
|
26c8e2 |
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
|
26c8e2 |
+#define HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
/* mod_ssl headers */
|
|
|
26c8e2 |
#include "ssl_util_ssl.h"
|
|
|
26c8e2 |
|
|
|
26c8e2 |
@@ -617,6 +621,12 @@ typedef struct {
|
|
|
26c8e2 |
apr_global_mutex_t *stapling_cache_mutex;
|
|
|
26c8e2 |
apr_global_mutex_t *stapling_refresh_mutex;
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+ /* Used for logging if SSLKEYLOGFILE is set at startup. */
|
|
|
26c8e2 |
+ apr_file_t *keylog_file;
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
} SSLModConfigRec;
|
|
|
26c8e2 |
|
|
|
26c8e2 |
/** Structure representing configured filenames for certs and keys for
|
|
|
26c8e2 |
@@ -970,6 +980,11 @@ int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
|
|
|
26c8e2 |
int ssl_callback_SRPServerParams(SSL *, int *, void *);
|
|
|
26c8e2 |
#endif
|
|
|
26c8e2 |
|
|
|
26c8e2 |
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
|
26c8e2 |
+/* Callback used with SSL_CTX_set_keylog_callback. */
|
|
|
26c8e2 |
+void modssl_callback_keylog(const SSL *ssl, const char *line);
|
|
|
26c8e2 |
+#endif
|
|
|
26c8e2 |
+
|
|
|
26c8e2 |
/** I/O */
|
|
|
26c8e2 |
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
|
|
|
26c8e2 |
void ssl_io_filter_register(apr_pool_t *);
|