5

Where is SSLKEYLOGFILE defined?

As discussed above, SSLKEYLOGFILE can be used with some program to capture the key log.

But Java programs using TLS do not respect this environment variable. What is the correct way to let such a Java program dump the key log? (I think Java program most likely uses the following package for TLS. But I am not completely sure.)

https://hc.apache.org/httpcomponents-core-4.4.x/current/httpcore/apidocs/org/apache/http/ssl/package-summary.html

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
user1424739
  • 11,937
  • 17
  • 63
  • 152
  • 1
    I can’t speak for Apache libraries, but core Java [uses the javax.net.debug system property](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug). – VGR Dec 06 '21 at 00:35
  • The java program I try to inspect is started by JavaApplicationStub. It sounds that using some options for the java binary is not applicable in this case. But if you know an alternative way to somehow specify an option for TSL debugging when JavaApplicationStub is used, it is also fine. – user1424739 Dec 06 '21 at 00:57

2 Answers2

5

As suggested by this wireshark topic, there exists a Java agent that can provide the same functionality: https://github.com/neykov/extract-tls-secrets.

I tested it by providing the agent in the command line and it works for my use-case (TLS v1.3)

botismarius
  • 2,977
  • 2
  • 30
  • 29
1

All versions of Apache HttpClient use the standard JSSE framework for their TLS transport security. Please refer to the JSSE documentation for details on SSL/TLS debug logging (per @VGR original suggestion)

https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

ok2c
  • 26,450
  • 5
  • 63
  • 71