[erlang-questions] SSL: Getting master_secret and client_random (or premaster_secret)

[Ingela Andin]

Hi!

2017-01-12 0:17 GMT+01:00 Roger Lipscombe <roger@REDACTED>:

> On 11 January 2017 at 19:12, Ingela Andin <ingela.andin@REDACTED> wrote:
>
>> There is currently no supported way. ERL-166
>> https://bugs.erlang.org/browse/ERL-166 talks about the possibility to
>> add such a feature. We have not had time to look further into this as yet.
>>
>
> I'm happy to submit a PR to implement this, provided we can agree on the
> approach (but it'll be a month or two -- we're still on Erlang 17.x, and
> there's no point in submitting a patch against that).
>

>
>> Of course, it is possible to provide such an API, although it seems to me
>> that the use case is violating the concept of using TLS in the first place.
>> It can, of course, be argued that if you have access to the erlang node you
>> may dig out the information anyway even if it might be a dirty hack.
>>
>
> I *would* argue that: We own the server, so the unencrypted traffic is
> already available. All this is doing is making it easier to see that data
> in wireshark, where there's a bunch of other useful context.
>


Well our reasoning at the moment is that we could add a debug possibility,
that would let connection_information (ssl connection_info is deprecated
due to its inflexible return value from old ssl).
return client/server/master_secret values for connections started in debug
mode. Just like you can configure a connection to run anonymous ciphers
suites for test and debugging purposes. However we would
not want connection_information to return these values by default. Even if
you conceptually can get at the information by hacking we do not want to
make it easy to do bad things to security by "accident" or
otherwise.

Regards Ingela Erlang/OTP team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170113/4a50851e/attachment.htm>