#2498 closed task (invalid)

Question:Capture keys on nginx-quic to decrypt QUIC pcap

Reported by: Karthikdasari0423@… Owned by:
Priority: trivial Milestone:
Component: http/3 Version: 1.19.x
Keywords: Cc:
uname -a: root@ubuntu:/src/nginx-quic# uname -v
#66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023
nginx -V:
root@ubuntu:/src/nginx-quic# nginx -V
nginx version: nginx/1.23.4 (nginx-quic)
built by gcc 11.3.0 (Ubuntu 11.3.0-1ubuntu1~22.04.1)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --build=nginx-quic --with-debug --with-http_v3_module --with-cc-opt=-I/src/boringssl/include --with-ld-opt='-L/src/boringssl/build/ssl -L/src/boringssl/build/crypto'
root@ubuntu:/src/nginx-quic#

Description

I know this is the wrong place to raise a ticket here for this question but i dont have any other option.

I wrote a mail to nginx@…,nginx-devel@… and asked in comment on Disqus nginx article and in nginx slack also but i didnt see any reply there.

Hope someone answers this query

Question:-
I need to capture the pcap file on my linux machine which is using nginx quic to connect and decrypt those packets using ssl key log file but i am unable to find how to capture ssl key log file on nginx-quic.

Could someone please help me to capture the ssl key log file ?

root@ubuntu:/src/nginx-quic# uname -v
#66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023

root@ubuntu:/src/nginx-quic# nginx -V
nginx version: nginx/1.23.4 (nginx-quic)
built by gcc 11.3.0 (Ubuntu 11.3.0-1ubuntu1~22.04.1)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --build=nginx-quic --with-debug --with-http_v3_module --with-cc-opt=-I/src/boringssl/include --with-ld-opt='-L/src/boringssl/build/ssl -L/src/boringssl/build/crypto'
root@ubuntu:/src/nginx-quic#

Sorry for this question here,

Please let me know if you need any further info from my side.

Change History (1)

comment:1 by Maxim Dounin, 19 months ago

Resolution: invalid
Status: newclosed

nginx does not provide a way to capture SSL keys, consider using those from the client.

Note: See TracTickets for help on using tickets.