Hello folks, Attached is a patch to add support for logging secrets used in TLS connection after psql is initialized. This adds a new env var SSLKEYLOGFILE on the client side that points to a text file where keys will be logged. If a user runs psql multiple times with the same SSLKEYLOGFILE, new entries will be appended to that file. There is no change in behavior if that env var is not set or set to an empty string. This is useful for cases when a client wants to analyze TCP packets using a tool like wireshark while using TLS. This will enable wireshark to decrypt the packets and decode as postgres wire protocol messages. I did not add this to the backend because I thought using wireshark is more common on the frontend.
The keylogfile format is documented here https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html Example usage: root@guest:~/postgres# SSLKEYLOGFILE=./key.txt /usr/local/pgsql/bin/psql "postgresql://user:pass@host:5432/postgres?sslmode=require" psql (18devel, server 17.2) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql) Type "help" for help. postgres=> \q root@guest:~/postgres# cat key.txt SERVER_HANDSHAKE_TRAFFIC_SECRET **** EXPORTER_SECRET **** SERVER_TRAFFIC_SECRET_0 **** CLIENT_HANDSHAKE_TRAFFIC_SECRET *** CLIENT_TRAFFIC_SECRET_0 **** A few things I am not sure about: 1. Where should I add automated tests and docs for this? I did not see any unit tests for the surrounding functions. 2. Should I use perror to report error here? I did not want to use libpq_append_conn_error because this is not a connection related error. Please let me know if I can clarify anything. -- Thanks and regards Abhishek Chanda
0001-Add-support-for-dumping-SSL-keylog-to-a-file.patch
Description: Binary data
