apache
support `SSHKEYLOGFILE`
When serving TLS connections, some applications support setting a SSHKEYLOGFILE environment variable so that the application can dump the key material in there, and tools like Wireshark can pick it up and show the decrypted traffic.
It is possible that this is already possible with Pekko HTTP as well (possibly using a tool such as https://github.com/jsslkeylog/jsslkeylog), or perhaps some changes are needed.
It would be great if someone could look into this and either document how to do it or make an overview of the changes that would be needed.
Before DH key exchange it was easier because the server RSA private keys were enough to decrypt all traffic (but obviously also less secure).
SSHKEYLOGFILE is great if it works. In general, most solutions will be brittle if the TLS implementation does not support it out-of-the-box (which the JDK does not). By design they usually hold pretty tight to their secrets and don't expose them. jsslkeylog looks great (but likely breaks with every major JDK update) but if it is being kept updated it would be the preferred solution.
By design they usually hold pretty tight to their secrets and don't expose them
Oh I thought -Djavax.net.debug=ssl also already dumped the key material - but TBH I haven't looked at that in ages.
jsslkeylog looks great (but likely breaks with every major JDK update) but if it is being kept updated it would be the preferred solution.
Would be cool if someone could try it out!
I can confirm jsslkeylog actually works (at least with Pekko gRPC on sbt on Java 21.0.7) - so it would be cool to document that ;)