summaryrefslogtreecommitdiffstats
path: root/dev/sslkeylogger
diff options
context:
space:
mode:
Diffstat (limited to 'dev/sslkeylogger')
-rw-r--r--dev/sslkeylogger/sslkeylogger.lua47
1 files changed, 47 insertions, 0 deletions
diff --git a/dev/sslkeylogger/sslkeylogger.lua b/dev/sslkeylogger/sslkeylogger.lua
new file mode 100644
index 0000000..e67bf77
--- /dev/null
+++ b/dev/sslkeylogger/sslkeylogger.lua
@@ -0,0 +1,47 @@
+--[[
+ This script can be used to decipher SSL traffic coming through haproxy. It
+ must first be loaded in the global section of haproxy configuration with
+ TLS keys logging activated :
+
+ tune.ssl.keylog on
+ lua-load sslkeylogger.lua
+
+ Then a http-request rule can be inserted for the desired frontend :
+ http-request lua.sslkeylog <path_to_keylog_file>
+
+ The generated keylog file can then be injected into wireshark to decipher a
+ network capture.
+]]
+
+local function sslkeylog(txn, filename)
+ local fields = {
+ CLIENT_EARLY_TRAFFIC_SECRET = function() return txn.f:ssl_fc_client_early_traffic_secret() end,
+ CLIENT_HANDSHAKE_TRAFFIC_SECRET = function() return txn.f:ssl_fc_client_handshake_traffic_secret() end,
+ SERVER_HANDSHAKE_TRAFFIC_SECRET = function() return txn.f:ssl_fc_server_handshake_traffic_secret() end,
+ CLIENT_TRAFFIC_SECRET_0 = function() return txn.f:ssl_fc_client_traffic_secret_0() end,
+ SERVER_TRAFFIC_SECRET_0 = function() return txn.f:ssl_fc_server_traffic_secret_0() end,
+ EXPORTER_SECRET = function() return txn.f:ssl_fc_exporter_secret() end,
+ EARLY_EXPORTER_SECRET = function() return txn.f:ssl_fc_early_exporter_secret() end
+ }
+
+ local client_random = txn.c:hex(txn.f:ssl_fc_client_random())
+
+ -- ensure that a key is written only once by using a session variable
+ if not txn:get_var('sess.sslkeylogdone') then
+ local file, err = io.open(filename, 'a')
+ if file then
+ for fieldname, fetch in pairs(fields) do
+ if fetch() then
+ file:write(string.format('%s %s %s\n', fieldname, client_random, fetch()))
+ end
+ end
+ file:close()
+ else
+ core.Warning("Cannot open SSL log file: " .. err .. ".")
+ end
+
+ txn:set_var('sess.sslkeylogdone', true)
+ end
+end
+
+core.register_action('sslkeylog', { 'http-req' }, sslkeylog, 1)