Skip to content

feat: enable TLS key logging via SSLKEYLOGFILE env #3173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chenBright merged 2 commits into from
Jan 5, 2026
Merged

feat: enable TLS key logging via SSLKEYLOGFILE env #3173

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1e6bba1
feat: enable TLS key logging via SSLKEYLOGFILE env
koarz Dec 16, 2025
6ea77c7
fix
koarz Dec 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions src/brpc/details/ssl_helper.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,14 @@


#include "brpc/ssl_options.h"
#include "butil/files/scoped_file.h"
#include <openssl/bio.h>
#ifndef USE_MESALINK

#include <sys/socket.h> // recv
#include <pthread.h> // pthread_once
#include <stdio.h> // fopen
#include <stdlib.h> // getenv
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
Expand Down Expand Up @@ -185,6 +189,47 @@ static void SSLMessageCallback(int write_p, int version, int content_type,
#endif // TLS1_RT_HEARTBEAT
}

#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x10101000L)
static pthread_once_t g_ssl_keylog_once = PTHREAD_ONCE_INIT;
static FILE* g_ssl_keylog_file = NULL;

static void InitSSLKeyLogFile() {
const char* path = getenv("SSLKEYLOGFILE");
if (path == NULL || path[0] == '\0') {
return;
}
g_ssl_keylog_file = fopen(path, "ae");
if (g_ssl_keylog_file == NULL) {
PLOG(WARNING) << "Fail to open SSLKEYLOGFILE=" << path;
} else {
setvbuf(g_ssl_keylog_file, NULL, _IOLBF, 0);
LOG(WARNING) << "SSLKEYLOGFILE is enabled (path: " << path << "). "
<< "Sensitive TLS session keys will be written to this file. "
<< "This feature is intended for debugging only and should NOT be used in production environments.";
}
}

static void SSLKeyLogCallback(const SSL* ssl, const char* line) {
(void)ssl;
if (line == NULL || g_ssl_keylog_file == NULL) {
return;
}
// Write the full key log line with newline in one call to keep output atomic.
fprintf(g_ssl_keylog_file, "%s\n", line);
}

static void MaybeSetKeyLogCallback(SSL_CTX* ctx) {
pthread_once(&g_ssl_keylog_once, InitSSLKeyLogFile);
if (ctx != NULL && g_ssl_keylog_file != NULL) {
SSL_CTX_set_keylog_callback(ctx, SSLKeyLogCallback);
}
}
#else
static void MaybeSetKeyLogCallback(SSL_CTX* ctx) {
(void)ctx;
}
#endif

#ifndef OPENSSL_NO_DH
static DH* SSLGetDHCallback(SSL* ssl, int exp, int keylen) {
(void)exp;
Expand Down Expand Up @@ -494,6 +539,7 @@ SSL_CTX* CreateClientSSLContext(const ChannelSSLOptions& options) {
LOG(ERROR) << "Fail to new SSL_CTX: " << SSLError(ERR_get_error());
return NULL;
}
MaybeSetKeyLogCallback(ssl_ctx.get());

if (!options.client_cert.certificate.empty()
&& LoadCertificate(ssl_ctx.get(),
Expand Down Expand Up @@ -532,6 +578,7 @@ SSL_CTX* CreateServerSSLContext(const std::string& certificate,
LOG(ERROR) << "Fail to new SSL_CTX: " << SSLError(ERR_get_error());
return NULL;
}
MaybeSetKeyLogCallback(ssl_ctx.get());

if (LoadCertificate(ssl_ctx.get(), certificate,
private_key, hostnames) != 0) {
Expand Down
Loading