nats-server
nats-server copied to clipboard
nats-io
Shall nats provides a flag for a writer in tls.Config to get the TLS secret for debugging?
Feature Request
Currently, nats only provides flags to specify the cert key and so on and init in the function func overrideTLS(opts *Options) error:
tc := TLSConfigOpts{}
tc.CertFile = opts.TLSCert
tc.KeyFile = opts.TLSKey
tc.CaFile = opts.TLSCaCert
tc.Verify = opts.TLSVerify
tc.Ciphers = defaultCipherSuites()
However, nats doesn't provide any way to get the keys during the TLS handshake and it also doesn't provide a way to pass a tls.Config struct.
So for debugging(especially for QUIC development), I think it is necessary to add a new flag to enable output key log. Note that it should enable only in debug mode.
Use Case:
nats-server -sslkeylog "log file name" etc...
From this way, we could get the key log with the format:
CLIENT_HANDSHAKE_TRAFFIC_SECRET 4a91b2801514....blabla
SERVER_HANDSHAKE_TRAFFIC_SECRET 4a91b280151....blabla
CLIENT_TRAFFIC_SECRET_0 4a91b28015147bb400e48....blabla
SERVER_TRAFFIC_SECRET_0 4a91b28015147bb400e48....blabla
Here also provides a way to get the log and let wireshark decrypts the packets.
Proposed Change:
Add a new flag in function func ConfigureOptions(fs *flag.FlagSet, args []string, printVersion, printHelp, printTLSHelp func()) (*Options, error).
Who Benefits From The Change(s)?
Developers who are developing the QUIC can use wireshark to capture the packets and this new feature helps wireshark to decrypt the encryted packets.
@derekcollison If nats-server has such plan, I am interested to add this feature. Thanks.
