feat: optional SSLKEYLOGFILE support

crepererum · crepererum · commit 66aa283d509f · 2023-09-28T12:51:10.000+02:00
Add a `use_key_log` option to server and client TLS configs that -- when set -- will enable rustls's `SSLKEYLOGFILE` handling. This is helpful when you want to intercept TLS traffic for debugging and is generally supported by many libraries and browsers. Also see: https://wiki.wireshark.org/TLS#using-the-pre-master-secret
diff --git a/tonic/src/transport/channel/tls.rs b/tonic/src/transport/channel/tls.rs
@@ -12,6 +12,7 @@ pub struct ClientTlsConfig {
     domain: Option<String>,
     cert: Option<Certificate>,
     identity: Option<Identity>,
+    use_key_log: bool,
 }
 
 impl fmt::Debug for ClientTlsConfig {
@@ -31,6 +32,7 @@ impl ClientTlsConfig {
             domain: None,
             cert: None,
             identity: None,
+            use_key_log: false,
         }
     }
 
@@ -58,11 +60,24 @@ impl ClientTlsConfig {
         }
     }
 
+    /// Use key log as specified by the `SSLKEYLOGFILE` environment variable.
+    pub fn use_key_log(self) -> Self {
+        ClientTlsConfig {
+            use_key_log: true,
+            ..self
+        }
+    }
+
     pub(crate) fn tls_connector(&self, uri: Uri) -> Result<TlsConnector, crate::Error> {
         let domain = match &self.domain {
             None => uri.host().ok_or_else(Error::new_invalid_uri)?.to_string(),
             Some(domain) => domain.clone(),
         };
-        TlsConnector::new(self.cert.clone(), self.identity.clone(), domain)
+        TlsConnector::new(
+            self.cert.clone(),
+            self.identity.clone(),
+            domain,
+            self.use_key_log,
+        )
     }
 }
diff --git a/tonic/src/transport/server/tls.rs b/tonic/src/transport/server/tls.rs
@@ -10,6 +10,7 @@ pub struct ServerTlsConfig {
     identity: Option<Identity>,
     client_ca_root: Option<Certificate>,
     client_auth_optional: bool,
+    use_key_log: bool,
 }
 
 impl fmt::Debug for ServerTlsConfig {
@@ -25,6 +26,7 @@ impl ServerTlsConfig {
             identity: None,
             client_ca_root: None,
             client_auth_optional: false,
+            use_key_log: false,
         }
     }
 
@@ -57,11 +59,20 @@ impl ServerTlsConfig {
         }
     }
 
+    /// Use key log as specified by the `SSLKEYLOGFILE` environment variable.
+    pub fn use_key_log(self) -> Self {
+        ServerTlsConfig {
+            use_key_log: true,
+            ..self
+        }
+    }
+
     pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::Error> {
         TlsAcceptor::new(
             self.identity.clone().unwrap(),
             self.client_ca_root.clone(),
             self.client_auth_optional,
+            self.use_key_log,
         )
     }
 }
diff --git a/tonic/src/transport/service/connector.rs b/tonic/src/transport/service/connector.rs
@@ -51,7 +51,7 @@ impl<C> Connector<C> {
 
         host.try_into()
             .ok()
-            .and_then(|dns| TlsConnector::new(None, None, dns).ok())
+            .and_then(|dns| TlsConnector::new(None, None, dns, false).ok())
     }
 }
 
diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs
@@ -31,6 +31,7 @@ impl TlsConnector {
         ca_cert: Option<Certificate>,
         identity: Option<Identity>,
         domain: String,
+        use_key_log: bool,
     ) -> Result<Self, crate::Error> {
         let builder = ClientConfig::builder().with_safe_defaults();
         let mut roots = RootCertStore::empty();
@@ -61,6 +62,11 @@ impl TlsConnector {
         };
 
         config.alpn_protocols.push(ALPN_H2.as_bytes().to_vec());
+
+        if use_key_log {
+            config.key_log = Arc::new(rustls::KeyLogFile::new());
+        }
+
         Ok(Self {
             config: Arc::new(config),
             domain: Arc::new(domain.as_str().try_into()?),
@@ -106,6 +112,7 @@ impl TlsAcceptor {
         identity: Identity,
         client_ca_root: Option<Certificate>,
         client_auth_optional: bool,
+        use_key_log: bool,
     ) -> Result<Self, crate::Error> {
         let builder = ServerConfig::builder().with_safe_defaults();
 
@@ -131,6 +138,11 @@ impl TlsAcceptor {
         let mut config = builder.with_single_cert(cert, key)?;
 
         config.alpn_protocols.push(ALPN_H2.as_bytes().to_vec());
+
+        if use_key_log {
+            config.key_log = Arc::new(rustls::KeyLogFile::new());
+        }
+
         Ok(Self {
             inner: Arc::new(config),
         })

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ pub struct ClientTlsConfig {`
`12`	`12`	`domain: Option<String>,`
`13`	`13`	`cert: Option<Certificate>,`
`14`	`14`	`identity: Option<Identity>,`
	`15`	`+ use_key_log: bool,`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`impl fmt::Debug for ClientTlsConfig {`
`@@ -31,6 +32,7 @@ impl ClientTlsConfig {`
`31`	`32`	`domain: None,`
`32`	`33`	`cert: None,`
`33`	`34`	`identity: None,`
	`35`	`+ use_key_log: false,`
`34`	`36`	`}`
`35`	`37`	`}`
`36`	`38`
`@@ -58,11 +60,24 @@ impl ClientTlsConfig {`
`58`	`60`	`}`
`59`	`61`	`}`
`60`	`62`
	`63`	+ /// Use key log as specified by the `SSLKEYLOGFILE` environment variable.
	`64`	`+ pub fn use_key_log(self) -> Self {`
	`65`	`+ ClientTlsConfig {`
	`66`	`+ use_key_log: true,`
	`67`	`+ ..self`
	`68`	`+ }`
	`69`	`+ }`
	`70`	`+`
`61`	`71`	`pub(crate) fn tls_connector(&self, uri: Uri) -> Result<TlsConnector, crate::Error> {`
`62`	`72`	`let domain = match &self.domain {`
`63`	`73`	`None => uri.host().ok_or_else(Error::new_invalid_uri)?.to_string(),`
`64`	`74`	`Some(domain) => domain.clone(),`
`65`	`75`	`};`
`66`		`- TlsConnector::new(self.cert.clone(), self.identity.clone(), domain)`
	`76`	`+ TlsConnector::new(`
	`77`	`+ self.cert.clone(),`
	`78`	`+ self.identity.clone(),`
	`79`	`+ domain,`
	`80`	`+ self.use_key_log,`
	`81`	`+ )`
`67`	`82`	`}`
`68`	`83`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ pub struct ServerTlsConfig {`
`10`	`10`	`identity: Option<Identity>,`
`11`	`11`	`client_ca_root: Option<Certificate>,`
`12`	`12`	`client_auth_optional: bool,`
	`13`	`+ use_key_log: bool,`
`13`	`14`	`}`
`14`	`15`
`15`	`16`	`impl fmt::Debug for ServerTlsConfig {`
`@@ -25,6 +26,7 @@ impl ServerTlsConfig {`
`25`	`26`	`identity: None,`
`26`	`27`	`client_ca_root: None,`
`27`	`28`	`client_auth_optional: false,`
	`29`	`+ use_key_log: false,`
`28`	`30`	`}`
`29`	`31`	`}`
`30`	`32`
`@@ -57,11 +59,20 @@ impl ServerTlsConfig {`
`57`	`59`	`}`
`58`	`60`	`}`
`59`	`61`
	`62`	+ /// Use key log as specified by the `SSLKEYLOGFILE` environment variable.
	`63`	`+ pub fn use_key_log(self) -> Self {`
	`64`	`+ ServerTlsConfig {`
	`65`	`+ use_key_log: true,`
	`66`	`+ ..self`
	`67`	`+ }`
	`68`	`+ }`
	`69`	`+`
`60`	`70`	`pub(crate) fn tls_acceptor(&self) -> Result<TlsAcceptor, crate::Error> {`
`61`	`71`	`TlsAcceptor::new(`
`62`	`72`	`self.identity.clone().unwrap(),`
`63`	`73`	`self.client_ca_root.clone(),`
`64`	`74`	`self.client_auth_optional,`
	`75`	`+ self.use_key_log,`
`65`	`76`	`)`
`66`	`77`	`}`
`67`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ impl<C> Connector<C> {`
`51`	`51`
`52`	`52`	`host.try_into()`
`53`	`53`	`.ok()`
`54`		`- .and_then(\|dns\| TlsConnector::new(None, None, dns).ok())`
	`54`	`+ .and_then(\|dns\| TlsConnector::new(None, None, dns, false).ok())`
`55`	`55`	`}`
`56`	`56`	`}`
`57`	`57`