diff options
author | Timotej S <6674623+underhood@users.noreply.github.com> | 2022-12-14 10:31:34 +0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-12-14 10:31:34 +0700 |
commit | 5847aeadcce2ea03dba23fc7baabcd4d04dfecb9 (patch) | |
tree | 284f50fc9390cc494c3480f829797717f4475972 | |
parent | ac52d5de53804d336f2ab63d19aaa7c6a15ce028 (diff) |
expose ACLK SSL KeyLog interface for developers (#14109)
* add possibility to decypt trafic for developers for debugging purposes
* requires netdata to be explicitly built with this feature enabled
-rw-r--r-- | Makefile.am | 4 | ||||
-rw-r--r-- | aclk/aclk.c | 37 | ||||
-rw-r--r-- | configure.ac | 11 |
3 files changed, 52 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 32b30b1a4c..3898d01fda 100644 --- a/Makefile.am +++ b/Makefile.am @@ -740,6 +740,10 @@ libmqttwebsockets_a_SOURCES = \ libmqttwebsockets_a_CFLAGS = $(CFLAGS) -DMQTT_WSS_CUSTOM_ALLOC -DRBUF_CUSTOM_MALLOC -I$(srcdir)/aclk/helpers -I$(srcdir)/mqtt_websockets/c_rhash/include +if MQTT_WSS_DEBUG +libmqttwebsockets_a_CFLAGS += -DMQTT_WSS_DEBUG +endif + mqtt_websockets/src/mqtt_wss_client.$(OBJEXT) : CFLAGS += -Wno-unused-result ACLK_PROTO_DEFINITIONS = \ diff --git a/aclk/aclk.c b/aclk/aclk.c index 8822fa816c..48013878b4 100644 --- a/aclk/aclk.c +++ b/aclk/aclk.c @@ -61,6 +61,26 @@ struct aclk_shared_state aclk_shared_state = { .mqtt_shutdown_msg_rcvd = 0 }; +#ifdef MQTT_WSS_DEBUG +#include <openssl/ssl.h> +#define DEFAULT_SSKEYLOGFILE_NAME "SSLKEYLOGFILE" +const char *ssl_log_filename = NULL; +FILE *ssl_log_file = NULL; +static void aclk_ssl_keylog_cb(const SSL *ssl, const char *line) +{ + (void)ssl; + if (!ssl_log_file) + ssl_log_file = fopen(ssl_log_filename, "a"); + if (!ssl_log_file) { + error("Couldn't open ssl_log file (%s) for append.", ssl_log_filename); + return; + } + fputs(line, ssl_log_file); + putc('\n', ssl_log_file); + fflush(ssl_log_file); +} +#endif + #if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300 OSSL_DECODER_CTX *aclk_dctx = NULL; EVP_PKEY *aclk_private_key = NULL; @@ -681,6 +701,18 @@ void *aclk_main(void *ptr) goto exit; } +#ifdef MQTT_WSS_DEBUG + size_t default_ssl_log_filename_size = strlen(netdata_configured_log_dir) + strlen(DEFAULT_SSKEYLOGFILE_NAME) + 2; + char *default_ssl_log_filename = mallocz(default_ssl_log_filename_size); + snprintfz(default_ssl_log_filename, default_ssl_log_filename_size, "%s/%s", netdata_configured_log_dir, DEFAULT_SSKEYLOGFILE_NAME); + ssl_log_filename = config_get(CONFIG_SECTION_CLOUD, "aclk ssl keylog file", default_ssl_log_filename); + freez(default_ssl_log_filename); + if (ssl_log_filename) { + error_report("SSLKEYLOGFILE active (path:\"%s\")!", ssl_log_filename); + mqtt_wss_set_SSL_CTX_keylog_cb(mqttwss_client, aclk_ssl_keylog_cb); + } +#endif + // Enable MQTT buffer growth if necessary // e.g. old cloud architecture clients with huge nodes // that send JSON payloads of 10 MB as single messages @@ -717,6 +749,11 @@ void *aclk_main(void *ptr) aclk_graceful_disconnect(mqttwss_client); +#ifdef MQTT_WSS_DEBUG + if (ssl_log_file) + fclose(ssl_log_file); +#endif + exit_full: // Tear Down QUERY_THREAD_WAKEUP_ALL; diff --git a/configure.ac b/configure.ac index 5a39092414..53e673c2a6 100644 --- a/configure.ac +++ b/configure.ac @@ -213,6 +213,12 @@ AC_ARG_ENABLE( [enable_ml_tests="yes"], [enable_ml_tests="no"] ) +AC_ARG_ENABLE( + [aclk_ssl_debug], + [AS_HELP_STRING([--enable-aclk-ssl-debug], [Enables possibility for SSL key logging @<:@default no@:>@])], + [aclk_ssl_debug="yes"], + [aclk_ssl_debug="no"] +) # ----------------------------------------------------------------------------- # Enforce building with C99, bail early if we can't. @@ -713,6 +719,11 @@ if test "${with_bundled_protobuf}" != "no"; then fi fi +AM_CONDITIONAL([MQTT_WSS_DEBUG], [test "${aclk_ssl_debug}" = "yes"]) +if test "${aclk_ssl_debug}" = "yes"; then + AC_DEFINE([MQTT_WSS_DEBUG], [1], [ACLK SSL allow debugging]) +fi + if test "${with_bundled_protobuf}" != "yes"; then PKG_CHECK_MODULES( [PROTOBUF], |