vtls: log when key logging is enabled.

If built with LibreSSL, also warn that it only works for TLS <= 1.2 Inspired-by: Viktor Szakats Closes #19814
2026-05-02 13:57:51 +03:00 · 2025-12-02 18:15:47 +02:00 · 2025-12-02 18:15:47 +02:00 · 7100e8d45a
commit 7100e8d45a
parent 4c078fd115
3 changed files with 36 additions and 4 deletions
--- a/lib/vtls/keylog.c
+++ b/lib/vtls/keylog.c
@ -22,21 +22,23 @@
 *
 ***************************************************************************/
 #include "curl_setup.h"
+#include "vtls/keylog.h"

 #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
  defined(USE_RUSTLS)

-#include "vtls/keylog.h"
 #include "escape.h"
 #include "curlx/fopen.h"

 /* The fp for the open SSLKEYLOGFILE, or NULL if not open */
 static FILE *keylog_file_fp;
+/* Used for verbose logging */
+static char *keylog_file_name;

 void Curl_tls_keylog_open(void)
 {
  if(!keylog_file_fp) {
-    char *keylog_file_name = curl_getenv("SSLKEYLOGFILE");
+    keylog_file_name = curl_getenv("SSLKEYLOGFILE");
    if(keylog_file_name) {
      keylog_file_fp = curlx_fopen(keylog_file_name, FOPEN_APPENDTEXT);
      if(keylog_file_fp) {
@ -50,7 +52,6 @@ void Curl_tls_keylog_open(void)
          keylog_file_fp = NULL;
        }
      }
-      curlx_safefree(keylog_file_name);
    }
  }
 }
@ -61,6 +62,7 @@ void Curl_tls_keylog_close(void)
    curlx_fclose(keylog_file_fp);
    keylog_file_fp = NULL;
  }
+  curlx_safefree(keylog_file_name);
 }

 bool Curl_tls_keylog_enabled(void)
@ -68,6 +70,11 @@ bool Curl_tls_keylog_enabled(void)
  return keylog_file_fp != NULL;
 }

+const char *Curl_tls_keylog_file_name(void)
+{
+  return keylog_file_name;
+}
+
 bool Curl_tls_keylog_write_line(const char *line)
 {
  /* The current maximum valid keylog line length LF and NUL is 195. */
@ -139,4 +146,16 @@ bool Curl_tls_keylog_write(const char *label,
  return TRUE;
 }

-#endif /* TLS backend */
+#else /* TLS backend */
+
+bool Curl_tls_keylog_enabled(void)
+{
+  return FALSE;
+}
+
+const char *Curl_tls_keylog_file_name(void)
+{
+  return NULL;
+}
+
+#endif  /* TLS backend */
--- a/lib/vtls/keylog.h
+++ b/lib/vtls/keylog.h
@ -52,6 +52,11 @@ void Curl_tls_keylog_close(void);
 */
 bool Curl_tls_keylog_enabled(void);

+/*
+ * Returns a pointer to the filename keys are being written to, if enabled.
+ */
+const char *Curl_tls_keylog_file_name(void);
+
 /*
 * Appends a key log file entry.
 * Returns true iff the key log file is open and a valid entry was provided.
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@ -50,6 +50,7 @@
 #include "vtls/vtls.h" /* generic SSL protos etc */
 #include "vtls/vtls_int.h"
 #include "vtls/vtls_scache.h"
+#include "vtls/keylog.h"

 #include "vtls/openssl.h"        /* OpenSSL versions */
 #include "vtls/gtls.h"           /* GnuTLS versions */
@ -1367,6 +1368,13 @@ static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
    if(connssl->state == ssl_connection_complete) {
      connssl->handshake_done = *Curl_pgrs_now(data);
    }
+    if(Curl_tls_keylog_enabled()) {
+      infof(data, "SSLKEYLOGFILE set, all TLS secrets are logged to '%s'",
+            Curl_tls_keylog_file_name());
+#ifdef LIBRESSL_VERSION_NUMBER
+      infof(data, "Note LibreSSL only supports SSLKEYLOGFILE for TLS <= 1.2");
+#endif
+    }
    /* Connection can be deferred when sending early data */
    DEBUGASSERT(connssl->state == ssl_connection_complete ||
                connssl->state == ssl_connection_deferred);