Skip to content

Extend ClientConfig to allow for setting key_log #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Extend ClientConfig to allow for setting key_log #308

wants to merge 2 commits into from

Conversation

graves
Copy link

@graves graves commented Sep 7, 2025

This addresses #286

It extends rustls::ClientConfig with a ClientConfigKeyLogExt to allow setting key_log on the ClientConfig as part of the builder pattern.

let tls_config = rustls::ClientConfig::builder()
  .with_native_roots()? 
  .with_no_client_auth()
  .with_key_log_file();

This seemed useful and looked like an easy addition so here it is. Writing a unit test seemed like more overhead than it was worth so I left it out but if you'd like a test just let me know.

Thanks!

@graves graves mentioned this pull request Sep 7, 2025
Closed
cpu
cpu approved these changes Sep 7, 2025
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I have some doc nits for consideration but the mechanics look good.

src/config.rs Outdated
Comment on lines 131 to 133
/// This sets `config.key_log` to a `KeyLogFile` which writes
/// to the path in the `SSLKEYLOGFILE` env var (if set). If the variable is
/// not set, it becomes a no-op.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is true for with_key_log_file(), but not for with_key_log() right? There's probably enough explanation on with_key_log_file() to remove this bit to avoid confusion.

src/config.rs
@@ -125,6 +126,37 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
}
}

/// Methods for enabling TLS key logging on a `ClientConfig`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd be tempted to put a warning after this headline similar to the one the Rusts docs have for KeyLog to emphasize this should be used carefully:

Secrets passed over the interface are extremely sensitive and can break the security of past, present and future sessions.

src/config.rs
fn with_key_log(self, key_log: Arc<dyn KeyLog>) -> Self;

// Enable NSS-style key logging to the file named by `SSLKEYLOGFILE`.
///
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe worth using the word "replace" somewhere here similar to the other fn to emphasize if you call with_key_log(...) and then with_key_log_file(...) it isn't setting up both, it's stomping the first.

@djc
Copy link
Member

djc commented Sep 8, 2025

I'm not sure this is worth doing? It seems like this would be easy enough to do using existing API, and I'm not sure how easy we want to make this?

@graves
Copy link
Author

graves commented Sep 9, 2025
edited
Loading

I understand where you're coming from but I feel like people building products that use TLS should have ergonomic access to the available APIs that let them debug their programs. I saw in the issue thread that you'd accept a PR so I opened one.

I can see myself using this as I continue to open PRs for rustls projects but again, I understand your concern and take no affront to you closing the issue and the PR.

@djc
Copy link
Member

djc commented Sep 9, 2025

Let's see what the other maintainers think...

@ctz ctz self-requested a review September 9, 2025 17:33
@ctz
Copy link
Member

ctz commented Sep 10, 2025

I feel like the the ergonomic builder-style API should be limited to things that we expect all users to make a decision on, and the less ergonomic and less discoverable setting-fields-on-ClientConfig-style API should be used for the rest. So in that way I don't really think we should do this.

In general I don't really want to put the keylog/SSLKEYLOGFILE stuff too far "forward" in the API. I've even been considering gating/defanging KeyLogFile on debug builds to follow the "MUST NOT" in https://tlswg.org/sslkeylogfile/draft-ietf-tls-keylogfile.html#name-applicability-statement

@djc djc closed this Sep 10, 2025
@djc
Copy link
Member

djc commented Sep 10, 2025

I saw in the issue thread that you'd accept a PR so I opened one.

Yeah, my thinking has evolved since then. Sorry for turning down your PR!

@graves
Copy link
Author

graves commented Sep 10, 2025

Hey, no problem, I'm here to make things better, not worse! Thanks for the review and information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

@ctz ctz Awaiting requested review from ctz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@graves @djc @ctz @cpu