OpenSSL: Debug output TLS 1.3 keying

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f78b2001e0e5a8d8c8d605e29db68237b151c6d4..d24b44c949aeab7f2e9b5c19b55fbdcd4d598b37 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -8,8 +8,8 @@ options, and new features, see the NewStuff file next to this ChangeLog.
 Exim version 4.93
 -----------------
 
 Exim version 4.93
 -----------------
 

-AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they return error
-      codes indicating retry.  Under TLS1.3 this becomes required.
+JH/01 OpenSSL: With debug enabled output keying information sufficient, server
+      side, to decode a TLS 1.3 packet capture.

 
 
 Exim version 4.92
 
 
 Exim version 4.92


@@ -180,6 +180,9 @@ JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external
       and multiple senders' messages were queued, only one sender would get
       notified on each configured delay_warning cycle.
 
       and multiple senders' messages were queued, only one sender would get
       notified on each configured delay_warning cycle.
 

+AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they return error
+      codes indicating retry.  Under TLS1.3 this becomes required.
+

 
 Exim version 4.91
 -----------------
 
 Exim version 4.91
 -----------------

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 8f888824f3b1f7195670eb4deffdf83afb8ec1ef..692022063a8f7889c82ab1f0440964f2575890a4 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -91,6 +91,12 @@ change this guard and punt the issue for a while longer. */
 # endif
 #endif
 
 # endif
 #endif
 

+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010101000L
+#  define OPENSSL_HAVE_KEYLOG_CB
+# endif
+#endif
+

 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
 # define DISABLE_OCSP
 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
 # define DISABLE_OCSP


@@ -774,6 +780,12 @@ DEBUG(D_tls)
   }
 }
 
   }
 }
 

+static void
+keylog_callback(const SSL *ssl, const char *line)
+{
+DEBUG(D_tls) debug_printf("%.200s\n", line);
+}
+

 
 
 /*************************************************
 
 
 /*************************************************


@@ -1768,6 +1780,9 @@ if (!RAND_status())
 level. */
 
 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
 level. */
 
 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);

+#ifdef OPENSSL_HAVE_KEYLOG_CB
+DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
+#endif

 
 /* Automatically re-try reads/writes after renegotiation. */
 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 
 /* Automatically re-try reads/writes after renegotiation. */
 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);