# Decryption TLS1.3 on server-side (apache24)



## urameshi (Jun 18, 2021)

Hello,
on the Centos 8 in the mod_ssl is function that stores pre-master secret keys in a file, and i load this file to wireshark and decrypt stored traffic over TLS 1.3.. It's simple, I set an environment variable called "SSLKEYLOGFILE" on systemd of apache, so it works on the Centos 8. But its does not work on the FreeBSD. I trying put SSLKEYLOGFILE variable to rc script for apache (/usr/local/etc/rc.d/apache24), and when i restart the apache and load web page, so SSLKEYLOG file is created but file is empty. I did try compare the mod_ssl on the FreeBSD and on the Centos 8:

Centos 8:
#strings mod_ssl.so | grep -i "mod_ssl\/"
mod_ssl/2.4.37

#strings mod_ssl.so | grep -i "sslkeylogfile"
SSLKEYLOGFILE
AH10226: Could not open log file '%s' configured via SSLKEYLOGFILE

FreeBSD 12.2:
#strings mod_ssl.so | grep -i "mod_ssl\/"
Amod_ssl/2.4.48

#strings mod_ssl.so | grep -i "sslkeylogfile"
NOTHING

It's posible, that mod_ssl on FreeBSD 12.2 do not have function for logging pre-master secret keys? Have you got any idea how can i decrypt TLS1.3 on FreeBSD with apache24?
Thanks.


----------



## SirDice (Jun 18, 2021)

urameshi said:


> I set an environment variable called "SSLKEYLOGFILE" on systemd of apache, so it works on the Centos 8


That isn't a standard environment variable for mod_ssl





__





						mod_ssl - Apache HTTP Server Version 2.4
					





					httpd.apache.org
				




After a bit of digging, this is actually a feature of OpenSSL; SSL_CTX_set_keylog_callback(3)
It mentions that applications can use this for debugging purposes. Which is likely why this isn't turned on by default on FreeBSD (it's rather a big deal if you leak your keys in a production environment). So you probably have to build www/apache24 from ports with the DEBUG option set. 



urameshi said:


> I trying put SSLKEYLOGFILE variable to rc script for apache (/usr/local/etc/rc.d/apache24)


Don't edit that file (never edit any of the rc(8) files!). That's not where you set environment variables for Apache. Use `apache24_envvars` in /etc/rc.conf.


----------



## urameshi (Jun 18, 2021)

SirDice said:


> That isn't a standard environment variable for mod_ssl
> 
> 
> 
> ...


What is mean? The mod_ssl depends on openssl, so it's possible setting it for store to file? I didn't find any option in /etc/ssl/openssl.cnf and anywhere in apache. 



SirDice said:


> Don't edit that file (never edit any of the rc(8) files!). That's not where you set environment variables for Apache. Use `apache24_envvars` in /etc/rc.conf.


Now i use /etc/rc.conf

Thank you for answer.


----------



## SirDice (Jun 18, 2021)

urameshi said:


> What is mean? The mod_ssl depends on openssl, so it's possible setting it for store to file? I didn't find any option in /etc/ssl/openssl.cnf and anywhere in apache.


I added some extra information later on:


SirDice said:


> It mentions that applications can use this for debugging purposes. Which is likely why this isn't turned on by default on FreeBSD (it's rather a big deal if you leak your keys in a production environment). So you probably have to build www/apache24 from ports with the DEBUG option set.


----------



## covacat (Jun 18, 2021)

i think you either need this https://github.com/bozzzzo/sslkeylog and preload it for the apache process 
or this https://gist.github.com/schierlm/fef3d79818f5561cd87991c89b81122f to patch mod_ssl itself

if you just need something simple you could reverse proxy all https requests to same vhost non ssl on a local interface and tcpdump in between


----------



## SirDice (Jun 18, 2021)

Yeah, you should also keep in mind that RedHat (and thus CentOS) typically has a lot of custom patches on _everything_.


----------



## urameshi (Jun 21, 2021)

SirDice said:


> I added some extra information later on:





SirDice said:


> After a bit of digging, this is actually a feature of OpenSSL; SSL_CTX_set_keylog_callback(3)
> It mentions that applications can use this for debugging purposes. Which is likely why this isn't turned on by default on FreeBSD (it's rather a big deal if you leak your keys in a production environment). So you probably have to build www/apache24 from ports with the DEBUG option set.


I tryed reinstall the apache24 with LOG_DUBUG option, but it does not working it, so it does not store pre-master keys to file.



SirDice said:


> Yeah, you should also keep in mind that RedHat (and thus CentOS) typically has a lot of custom patches on _everything_.


Yes, I agree.



covacat said:


> i think you either need this https://github.com/bozzzzo/sslkeylog and preload it for the apache process
> or this https://gist.github.com/schierlm/fef3d79818f5561cd87991c89b81122f to patch mod_ssl itself
> 
> if you just need something simple you could reverse proxy all https requests to same vhost non ssl on a local interface and tcpdump in between


Thank you for tips, I tryed to set the reverse proxy in the vhost and redirect ssl traffics to non ssl traffics to localhost to port 8080, setted the apache to listen on the port 8080 and created a vhost for this the port number,  and stored traffics with the tcpdump to a file. For my purpose it is the eysyest option, that is fully working.


----------

