So what’s the flag in openssl.conf that makes it generate a file with all the keys? There isn’t one. I guess the presumption is that if there was an RFC it would be easier to get the powers that be to make it happen. It likely needs to be in the main branch to be ubiquitous, because many products come with their own OpenSSL package.
TBH I don’t think an RFC would have that effect. Not every RFC gets implemented. > On 15 Mar 2018, at 13:38, Hubert Kario <hka...@redhat.com> wrote: > > On Thursday, 15 March 2018 05:51:31 CET Yoav Nir wrote: >> At the risk of stating the obvious, it’s because server owners want to use >> the same OpenSSL, NSS, SChannel, or whatever you call the Java library that >> everybody else uses. They’re all widely used, actively maintained, and >> essentially free. >> >> None of these libraries support any of this functionality. > > huh? Sure, it is not nicely packaged in to allow integration with 3rd party > systems, and sometimes disabled by default, but it's hardly missing... > > https://github.com/openssl/openssl/pull/1646 > <https://github.com/openssl/openssl/pull/1646> > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format > <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format> > > https://bugs.chromium.org/p/chromium/issues/detail?id=393477 > <https://bugs.chromium.org/p/chromium/issues/detail?id=393477> > >>> On 15 Mar 2018, at 2:16, Watson Ladd <watsonbl...@gmail.com> wrote: >>> >>> One can either use a static DH share, save the ephemerals on the >>> servers and export them, or log all the data on the servers. >>> >>> These options don't require any change to the wire protocol: they just >>> require vendors supporting them. Why don't they meet the needs cited? >>> >>> Sincerely, >>> Watson >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls >> <https://www.ietf.org/mailman/listinfo/tls> > > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com <http://www.cz.redhat.com/> > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
