Skip to content

tls: openssl: add runtime enable/disable API for SSL key logging#3556

Open
VaibhavTekale1 wants to merge 1 commit intowarmcat:mainfrom
VaibhavTekale1:feat/sslkeylogging-runtime-enable-disable
Open

tls: openssl: add runtime enable/disable API for SSL key logging#3556
VaibhavTekale1 wants to merge 1 commit intowarmcat:mainfrom
VaibhavTekale1:feat/sslkeylogging-runtime-enable-disable

Conversation

@VaibhavTekale1
Copy link

@VaibhavTekale1 VaibhavTekale1 commented Mar 17, 2026
edited
Loading

@lws-team

Summary

Add two new public APIs to enable and disable SSL key logging (SSLKEYLOGFILE)
at runtime, without requiring a context rebuild.

Previously, the keylog callback was only registered if keylog_file was set
at context creation time (lws_context_creation_info). This made it impossible
to toggle key logging on an already-running context.

Changes

New public APIs (include/libwebsockets/lws-context-vhost.h)

  • lws_set_keylog_file(struct lws *wsi, char *sslkeyfilepath)
    Enables SSL key logging. If sslkeyfilepath is non-empty, that path is used;
    otherwise the SSLKEYLOGFILE environment variable is consulted. The resolved
    path is written into wsi->a.context->keylog_file.

  • lws_reset_keylog_file(struct lws *wsi)
    Disables SSL key logging by clearing wsi->a.context->keylog_file.

TLS callback registration (lib/tls/openssl/)

  • openssl-client.c, openssl-server.c: SSL_CTX_set_keylog_callback() is
    now registered unconditionally (subject to LWS_HAVE_SSL_CTX_set_keylog_callback
    and LWS_WITH_TLS). The lws_klog_dump callback itself gates on whether
    keylog_file is set, so logging only occurs when explicitly enabled via the
    new APIs.

  • Simplified the preprocessor condition in openssl-server.c from
    (!defined(LWS_WITHOUT_CLIENT) || !defined(LWS_WITHOUT_SERVER)) to just
    defined(LWS_WITH_TLS), which is the meaningful guard for this code path.

@lws-team
Copy link
Member

lws-team commented Mar 17, 2026

  1. This looks very wrong, a long env var value will buffer overflow keylog_file

    if (NULL != klfl_env && strlen(klfl_env) > 1){
    lws_strncpy(wsi->a.context->keylog_file, klfl_env,
    strlen(klfl_env)+1);
    }

  2. Why don't you just have one api, and set the filepath to NULL to do what you "reset" api does?

  3. Why do the apis you propose take a wsi and operate on the context? You should take a pointer to the context?

  4. Why do the apis you propose operate on the context anyway? The app may have many vhosts, shouldn't we be trying to turn this on and off per vhost?

  5. Why did you change this? It shouldn't break anything to have it and may break things to remove it

  • #if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && \
  •   defined(LWS_WITH_TLS) && (!defined(LWS_WITHOUT_CLIENT) || !defined(LWS_WITHOUT_SERVER))
  • #if defined(LWS_HAVE_SSL_CTX_set_keylog_callback) && defined(LWS_WITH_TLS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VaibhavTekale1 @lws-team