Hi all, SSLKEYLOGFILE is immensely valuable capability for diagnostics and troubleshooting. Ability to use tools such as Wireshark to look into decrypted packets is very powerful for accessing "the ground truth" of what is happening on the wire to troubleshoot issues in modern complex protocol stacks.
Successfully negotiated Encrypted Client Hello adds new requirements for diagnostic tools to get visibility into the resulting ClientHello as well as the subsequent TLS flow. We submitted a very short draft to introduce two new fields into SSLKEYLOGFILE to address these requirements: ECH_SECRET (shared secret from ECH HPKE key schedule) and ECH_CONFIG (EchConfig that was used for construction of the ECH). To demonstrate viability of the proposal we have prepared three prototypes implementing it in popular tools: - BoringSSL (https://github.com/yaroslavros/boringssl-echkeylog) - NSS (https://github.com/yaroslavros/nss-echkeylog) - Wireshark (https://github.com/yaroslavros/wireshark-echkeylog) Sample PCAPs (accepted, rejected, with and without HRR) and corresponding SSLKEYLOGFILE is available at https://github.com/yaroslavros/ech-keylog-pcaps Would be great to get any feedback from the group on this challenge and the proposed solution. Best Regards, Yaroslav ---------- Forwarded message --------- From: <internet-dra...@ietf.org> Date: Sat, Jul 6, 2024 at 11:24 PM Subject: New Version Notification for draft-rosomakho-tls-ech-keylogfile-00.txt To: Hannes Tschofenig <hannes.tschofe...@gmx.net>, Yaroslav Rosomakho < yrosoma...@zscaler.com> A new version of Internet-Draft draft-rosomakho-tls-ech-keylogfile-00.txt has been successfully submitted by Yaroslav Rosomakho and posted to the IETF repository. Name: draft-rosomakho-tls-ech-keylogfile Revision: 00 Title: SSLKEYLOGFILE Extension for Encrypted Client Hello (ECH) Date: 2024-07-06 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/archive/id/draft-rosomakho-tls-ech-keylogfile-00.txt Status: https://datatracker.ietf.org/doc/draft-rosomakho-tls-ech-keylogfile/ HTML: https://www.ietf.org/archive/id/draft-rosomakho-tls-ech-keylogfile-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-rosomakho-tls-ech-keylogfile Abstract: This document specifies an extension to the SSLKEYLOGFILE format to support the logging of information about Encrypted Client Hello (ECH) related secrets. Two new labels are introduced, namely ECH_SECRET and ECH_CONFIG, which log the Hybrid Public Key Encryption (HPKE)- derived shared secret and the ECHConfig used for the ECH, respectively. This extension aims to facilitate debugging of TLS connections employing ECH. The IETF Secretariat
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
