mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard
verified publisher icon Mbed-TLS

Add feature/example to generate NSS-like log for wireshark

Open mpg opened this issue 7 years ago • 3 comments

Description

  • Type: Enhancement\Feature Request
  • Priority: Minor

Enhancement\Feature Request

Suggested enhancement

Wireshark has a feature to decrypt content of TLS connections, which obviously needs cooperation from the library (except for pure-RSA key exchange). This cooperation takes the form of a log file whose format is described here.

Mbed TLS should offer an easy solution to write such a log file. This could be implemented either as part of the library of as part of an example program (most probably programs/ssl/ssl_{client,server2}.c).

Justification - why does the library need this feature?

  1. Our users want it https://github.com/ARMmbed/mbedtls/pull/1483 and at least one already wrote their own version of it: https://github.com/Lekensteyn/mbedtls/commit/68aea15833e1ac9290b8f52a4223fb4585fb3986
  2. It would make our own life easier for debugging with wireshark (eg renegotiation where the new handshake is encrypted) - I remember creating a NSS keylog manually form Mbed TLS's debug output in the past, obviously an automated way would be more efficient.

mpg avatar Mar 26 '18 12:03 mpg

Any update to this feature? It's five years passed... Wolfssl already have this feature.

xenkuo avatar Nov 25 '23 07:11 xenkuo

@xenkuo Apart from TLS 1.3, we currently have a heavy focus on crypto, so we have very little time to work on TLS. This is likely to last for another year or so.

gilles-peskine-arm avatar Nov 28 '23 16:11 gilles-peskine-arm

Hi, I want to bump up this topic because as someone who debugs apps utilizing MbedTLS, I would also like to be able to debug TLS traffic. :)

anuar2k avatar Oct 09 '24 13:10 anuar2k