Reputation: 13775
What fields be expected in sslkeylog file?
https://www.youtube.com/watch?v=5qecyZHL-GU
The key log file below associated with the above video contain the following content.
https://drive.google.com/file/d/1hGM3fU-k4o2cLb1xvcYd1W5OkqtTgjXH/view
$ cat sslkeylog.log
CLIENT_HANDSHAKE_TRAFFIC_SECRET 83ac6b24496f208daee39dfdfcbd36b7c428245af5e3775e42099dbd48741d4a db6f3d27b40b7c8e10ed415281b39e45ca6ef2b59468f943dbe6e81e1f82e0f0
SERVER_HANDSHAKE_TRAFFIC_SECRET 83ac6b24496f208daee39dfdfcbd36b7c428245af5e3775e42099dbd48741d4a d819660e194d9439e7152ceac2a439b41584afbeb5d719663cecb3c63b5c2eb1
CLIENT_TRAFFIC_SECRET_0 83ac6b24496f208daee39dfdfcbd36b7c428245af5e3775e42099dbd48741d4a 71d4806141cb1b247c1d1f3f7747a804fcc5e06c4192d8f53fc763a27b92316c
SERVER_TRAFFIC_SECRET_0 83ac6b24496f208daee39dfdfcbd36b7c428245af5e3775e42099dbd48741d4a 2ca17b0f7ff708fb3001be17a1c85163219221a4595462415e9e9e6653daf1fa
EXPORTER_SECRET 83ac6b24496f208daee39dfdfcbd36b7c428245af5e3775e42099dbd48741d4a 3f74b0cbe802d3e3dd3b5f6dee4114f928ec936a0cd388643d146cfb606f62a4
It has these.
CLIENT_HANDSHAKE_TRAFFIC_SECRETCLIENT_HANDSHAKE_TRAFFIC_SECRETCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0EXPORTER_SECRET
But the following example only has CLIENT_RANDOM.
$ SSLKEYLOGFILE=sslkey.log curl -s https://httpbin.org > /dev/null
$ cat sslkey.log
CLIENT_RANDOM 73c0277fd99b097691bc1745f14376cf9cca3c75f357ce4d276de9402d17e1b3 1cccf53210ce60caf626c39e55bf988d2666146dd0597437ba3b3feb745f53360683e86e00f77c7f93068f63fc24f551
Why do they have different fields? Do I capture the key log completely in the curl example?
Upvotes: 0
Views: 2754
Answers (1)
Reputation: 123591
The format of the SSLKEYLOGFILE iswas documented in NSS Key Log Format (preserved copy in archive.org). It is also an IETF draft draft-thomson-tls-keylogfile. From this documentation it can be seen that several keys are only available with TLS 1.3, while others only with TLS 1.2 and lower.
The difference in the different files you have is due to the first representing a TLS 1.3 session while the latter represents a TLS 1.2 or lower session.
Upvotes: 1
Related Questions
- SSLKEYLOGFILE environment variable doesn't populate any text file
- What is the equivalence of SSLKEYLOGFILE in a Java program?
- SSLKeyLog file for chrome- mac not working
- Need to capture SSL_PROTOCOL details in access log of HttpServer
- Chrome not Firefox are not dumping to SSLKEYLOGFILE variable
- Does perl IO::Socket::SSL support SSLKEYLOGFILE?
- Parsing ServerKeyExchange message in SSL
- How to view SSL and TLS Protocol Information?
- apache logs https GET parameters?
- How can I log the SSL layer with the Apache HTTP server classes