mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-23 05:53:09 +00:00
DEV: add a Lua helper script for SSL keys logging
This script can be used through a http-request rules to log SSL keys for traffic on a dedicated frontend. The resulting file can then be injected into wireshark to decipher the corresponding network capture.
This commit is contained in:
parent
c2f1d0ee5e
commit
f1df006ffe
43
dev/sslkeylogger/sslkeylogger.lua
Normal file
43
dev/sslkeylogger/sslkeylogger.lua
Normal file
@ -0,0 +1,43 @@
|
||||
--[[
|
||||
This script can be used to decipher SSL traffic coming through haproxy. It
|
||||
must first be loaded in the global section of haproxy configuration with
|
||||
TLS keys logging activated :
|
||||
|
||||
tune.ssl.keylog on
|
||||
lua-load sslkeylogger.lua
|
||||
|
||||
Then a http-request rule can be inserted for the desired frontend :
|
||||
http-request lua.sslkeylog <path_to_keylog_file>
|
||||
|
||||
The generated keylog file can then be injected into wireshark to decipher a
|
||||
network capture.
|
||||
]]
|
||||
|
||||
local function sslkeylog(txn, filename)
|
||||
local fields = {
|
||||
CLIENT_EARLY_TRAFFIC_SECRET = function() return txn.f:ssl_fc_client_early_traffic_secret() end,
|
||||
CLIENT_HANDSHAKE_TRAFFIC_SECRET = function() return txn.f:ssl_fc_client_handshake_traffic_secret() end,
|
||||
SERVER_HANDSHAKE_TRAFFIC_SECRET = function() return txn.f:ssl_fc_server_handshake_traffic_secret() end,
|
||||
CLIENT_TRAFFIC_SECRET_0 = function() return txn.f:ssl_fc_client_traffic_secret_0() end,
|
||||
SERVER_TRAFFIC_SECRET_0 = function() return txn.f:ssl_fc_server_traffic_secret_0() end,
|
||||
EXPORTER_SECRET = function() return txn.f:ssl_fc_exporter_secret() end,
|
||||
EARLY_EXPORTER_SECRET = function() return txn.f:ssl_fc_early_exporter_secret() end
|
||||
}
|
||||
|
||||
local client_random = txn.c:hex(txn.f:ssl_fc_client_random())
|
||||
|
||||
-- ensure that a key is written only once by using a session variable
|
||||
if not txn:get_var('sess.sslkeylogdone') then
|
||||
file = io.open(filename, 'a')
|
||||
for fieldname, fetch in pairs(fields) do
|
||||
if fetch() then
|
||||
file:write(string.format('%s %s %s\n', fieldname, client_random, fetch()))
|
||||
end
|
||||
end
|
||||
|
||||
file:close()
|
||||
txn:set_var('sess.sslkeylogdone', true)
|
||||
end
|
||||
end
|
||||
|
||||
core.register_action('sslkeylog', { 'http-req' }, sslkeylog, 1)
|
Loading…
Reference in New Issue
Block a user