IIUC not quite. There is an API, so the application that uses the library can get the keys. The application can then save it to a file, send it to a central repository, send it to the government, or whatever else it might want to do.
There is no built-in setting where OpenSSL writes the keys to a file, nor do applications such as web servers do this AFAIK. It should not be difficult to write, but is not provided in off-the-shelf software. Making the library send this in-band in some protocol extension is a far bigger endeavor. It’s also a dangerous switch to leave lying around. > On 16 Mar 2018, at 0:16, Richard Barnes <r...@ipv.sx> wrote: > > Just to confirm that I understand the scope of the discussion here: > > - TLS libraries have facilities to export keys from the library > - Obviously, it's possible to ship these exported keys elsewhere (`tail -f > $SSLKEYLOGFILE | nc $LOGBOX`) > > So all we're really talking about is whether to define a way to do the > shipment of the exported keys in-band to the TLS session. > > > On Thu, Mar 15, 2018 at 3:05 PM, Salz, Rich <rs...@akamai.com > <mailto:rs...@akamai.com>> wrote: > This is what OpenSSL provides: > > https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_keylog_callback.html > <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_keylog_callback.html> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> >
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
