Thursday, June 24, 2021

Re: security/openssl/1.1: s_client: enable -trace

On Thu, Jun 24, 2021 at 10:29:23AM +0200, Theo Buehler wrote:
> On Thu, Jun 24, 2021 at 07:36:24AM +0000, Klemens Nanni wrote:
> > s_client(1) and s_server(1) have this very useful option:
> >
> > Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
> > ...
> > *) SSL/TLS tracing code. This parses out SSL/TLS records using the
> > message callback and prints the results. Needs compile time option
> > "enable-ssl-trace". New options to s_client and s_server to enable
> > tracing.
> > [Steve Henson]
>
> I think the reason this is disabled by default is that it involves a
> quite a lot of scary byte bashing inside libssl (all messages will be
> parsed a second time). The result is that this will be available in all
> consumers of the library.
>
> So I'm not sure enabling this is a good idea.

FWIW: It looks like upstream have enabled this by default.

https://github.com/openssl/openssl/pull/15665

No comments:

Post a Comment