Optionally log master secrets for TLS connections

[jsha]

Sometimes it's necessary to decrypt your own TLS connections to debug their contents. Wireshark supports this quite nicely with its decryption feature. For non-DH key agreement, you simply provide the private key of the server. However, for DH key agreement, or when you are acting only as a client, that doesn't work. Firefox and Chrome support the environment variable SSLKEYLOGFILE to write the master secrets used to a file, for decryption by Wireshark. It would be great to support this or a similar mechanism for logging master secrets in Node.

Key log format: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
Helpful Stack Exchange howto: https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites/42350#42350
Wireshark decryption docs: https://wiki.wireshark.org/SSL

(reposted from nodejs/node-convergence-archive#59).

[silverwind]

As this would basically throw out all security, the only way I see for a feature like that would be a compile-time option.

[jsha]

I think a compile-time option would satisfy the use case for this reasonably well, though it would be less convenient than the environment variable used by Firefox and Chrome.

I don't understand why you say this would throw out all security, though. The contents of the TLS connection are known to both endpoints, including the Node endpoint on which you would add this debugging variable when needed. This just allows the developer who runs the Node endpoint to store extra data about that connection. The idea is not that you would leave this on permanently in any production system.

[silverwind]

I'm thinking more of a scenario where a compromised server could be modified to provide these secrets to the attacker, while still serving the application. An attacker could for example modify the environment variables and force a restart on the node process.

I'm not really sure the benefits outweigth the risks here. Couldn't you just run a MITM proxy for your debugging needs?

[jsha]

compromised server could be modified to provide these secrets to the attacker, while still serving the application

This is entirely possible today. Anyone with access to the Node process' memory can exfiltrate key material.

I'm not really sure the benefits outweigth the risks here. Couldn't you just run a MITM proxy for your debugging needs?

For debugging of HTTP applications this is generally sufficient. But for debugging HTTP protocol issues, or especially HTTP/2 protocol issues, a proxy would not show the necessary information. The need for this flag came up for me specifically when trying to debug issues using HTTP/2 as a client against a remote server. The client knows the session key by definition, so allowing it to be (optionally) logged merely enables better debugging.

[silverwind]

Well, maybe a runtime flag could be done. I'm a bit more comfortable with a flag than a mere environment variable ;)

[jsha]

Yep, a runtime flag would be great too! I only suggested the env variable for similarity with Firefox and Chrome.

[jorangreef]

Sorry, but this is a terrible idea. It's a massive accident just waiting to happen. It opens so many possible attack vectors. If anyone needs to do this kind of thing they should just modify Node themselves.

[jsha]

@jorangreef: Can you go into more detail about the attack vectors or accidents you forsee? Keep in mind that this has been an option in Firefox and Chrome for many years and I have not heard a single example of anyone being compromised by it.

If I may guess a little: It sounds like you and @silverwind are most concerned by server operators misusing this flag. I think the most important debugging is is in TLS client code: if you control the server, you can force negotiation with a non-forward secret cipher, and since you also possess the private key, that allows the necessary analysis. However, for the client, there is no such option: the server controls the cipher negotiation and the private key.

Would you be less worried about accidental misuse of a flag that affects TLS clients only, and not servers?

[jorangreef]

@jsha there's probably an endless combination of attack vectors that an option to log the master key would support. But even if there's just one vector, that's enough, and @silverwind has already given a few.

Chrome and Firefox are desktop applications so the security threats are different.

I think your use-case would be solved if your Javascript could access the key from the actual TLS client instance directly, i.e. it's not necessary to ask Node to log it (via env flag or compile flag). But even then, it should only be exposed as a property by the instance if an option is explicitly provided.

Something like this should err on the side of being very difficult to do.

[lxe]

+1 This feature would immensely help with debugging.

I'm not really sure the benefits outweigth the risks here. Couldn't you just run a MITM proxy for your debugging needs?

Not at all. There are heisenbugs that require delicate and specific environment, and altering network flow with MITM proxies makes debugging impossible.

[larryboymi]

+1 ...
Realize it seems like more could happen server-side with exposure of client secrets, but this would immensely help debugging encrypted traffic.

If an attacker is able to get to the running process and manipulate it, the possibilities range widely regardless.

Java exposes via logging key parts which can be consumed by wireshark with a little manipulation. I know node is not java.

[tgvarik]

Wireshark >=1.6.0 supports NSS-format log files giving the session ID and master key in the following format:

RSA Session-ID:<32-byte session ID, hex encoded> Master-Key:<48-byte master key, hex encoded>

Both the session ID and master key can be obtained with TLSSocket.prototype.getSession(), which returns a DER-encoded ASN.1 structure described in ssl.h.

So just do something like this:

https.request(opts, cb)
.once('socket', (s) => {
  s.once('secureConnect', () =>
    let session = parseSession(s.getSession());
    // session.sessionId and session.masterKey should be hex strings
    fs.appendFileSync('sslkeylog.log', `RSA Session-ID:${session.sessionId} Master-Key:${session.masterKey}\n`);
  });
});

This works very well for me in Wireshark 2.2.4. How thoroughly to parse the session buffer is up to you, but even something as barebones as this will work in most cases:

function parseSession(buf) {
  return {
    sessionId: buf.slice(17, 17+32).toString('hex'),
    masterKey: buf.slice(51, 51+48).toString('hex')
  };
}