Merge pull request #49 from antkern/main

Use SSLKEYLOGFILE env variable to dump SSL master key
natesales · May 12, 2023 · e19ce1e · e19ce1e
2 parents cdf34dd + 3dd6710
commit e19ce1e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -129,6 +129,14 @@ go install -ldflags="-s -w -X main.version=release"
 2. `Q_DEFAULT_SERVER` environment variable
 3. `/etc/resolv.conf`
 
+### TLS Decryption
+
+`q` supports TLS decryption through a key log file generated when
+`SSLKEYLOGFILE` environment variable is set to the absolute path of a
+writable file.
+
+The generated file may be used by Wireshark to decipher the captured traffic.
+
 ### Feature Comparison
 
 #### DNS Transport Protocols

diff --git a/main.go b/main.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/url"
 	"os"
 	"reflect"
@@ -521,6 +522,18 @@ All long form (--) flags can be toggled with the dig-standard +[no]flag notation
 		opts.Class = dns.ClassCHAOS
 	}
 
+	var keyLog io.Writer
+
+	if klf := os.Getenv("SSLKEYLOGFILE"); klf != "" {
+
+		log.Warnf("SSLKEYLOGFILE is set! TLS master secrets will be logged.");
+
+		keyLog, err = os.OpenFile(klf, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0666)
+		if err != nil {
+			return fmt.Errorf("unable to open SSLKEYLOGFILE: %s %s", klf, err)
+		}
+	}
+
 	// Create TLS config
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: opts.TLSNoVerify,
@@ -529,6 +542,7 @@ All long form (--) flags can be toggled with the dig-standard +[no]flag notation
 		MaxVersion:         tlsVersion(opts.TLSMaxVersion, tls.VersionTLS13),
 		NextProtos:         opts.TLSNextProtos,
 		CipherSuites:       parseTLSCipherSuites(opts.TLSCipherSuites),
+		KeyLogWriter:       keyLog,
 	}
 
 	var rrTypesSlice []uint16