7

I have to store pre-master keys for all TLS connections due to regulator request. We are using nginx to terminate TLS.

I've read Extract pre-master keys from an OpenSSL application and especially excellent walkthrough Extracting openssl pre-master secret from apache2 and I was able to record keys from apache, but still have no success with nginx. Perhaps I'm missing something obvious?

I'm using Debian 9 system for testing. First I check which version of openssl is used by nginx:

# nginx -V 2>&1 |grep SSL
built with OpenSSL 1.1.0k  28 May 2019
# ldd /usr/sbin/nginx |grep ssl
    libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f9bd9f95000)

So I installed libssl-dev package which provides 1.1.0k-1~deb9u1 version.

I downloaded sslkeylog.c and compiled it: cc sslkeylog.c -shared -o libsslkeylog.so -fPIC -ldl

I put compiled library into /usr/local/lib/libsslkeylog.so path for convenience. Then I edited nginx's systemd config:

#cat /etc/systemd/system/nginx.service.d/override.conf
[Service]
Environment=SSLKEYLOGFILE=/tmp/premaster.txt
Environment=LD_PRELOAD=/usr/local/lib/libsslkeylog.so

# systemctl daemon-reload
# systemctl restart nginx

I can see that LD_PRELOAD works - lsof of both master and worker nginx processes show that /usr/local/lib/libsslkeylog.so is loaded:

# lsof -n -p 10313 |grep ssl
nginx   10313 root  mem    REG              254,1   442984   3255 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
nginx   10313 root  mem    REG              254,1    14224  20914 /usr/local/lib/libsslkeylog.so
# lsof -n -p 10314 |grep ssl
nginx   10314 www-data  mem       REG              254,1   442984   3255 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
nginx   10314 www-data  mem       REG              254,1    14224  20914 /usr/local/lib/libsslkeylog.so

But after I access nginx through curl

curl -k -I https://localhost

or through browser on my PC, /tmp/premaster.txt is not created

What am I doing wrong? Or is there a better way to store pre-master keys in nginx?

user2586441
  • 131
  • 1
  • 5
  • 1
    Why would the regulator need that you store all pre-master keys? Do they intend to intercept your communications? I am not convinced he is doing a proper job... – Ángel Aug 28 '19 at 01:37
  • Perhaps I was not entirely clear - the regulator is a goverment agency, they have rights for this kind of information according to federal law. Internet Service Provider should supply traffic dump to them and site owner should provide ssl keys so they can decrypt the dump. – user2586441 Aug 28 '19 at 08:14
  • With `sslkeylog.c` I've observed that if you have more that one `server` listening on `*:443`, secrets are only saved for the first one. – Jaime Hablutzel May 09 '20 at 02:20

1 Answers1

6

Well, as I was pointed at nginx mailing list, nginx removes all environment variables inherited from its parent process except the TZ variable, so once I defined needed variables in nginx.conf

env LD_PRELOAD=/usr/local/lib/libsslkeylog.so;
env SSLKEYLOGFILE=/tmp/premaster.txt;

keys started being recorded as expected.

user2586441
  • 131
  • 1
  • 5
  • Would you know how to perform this on Windows? – Dandré Feb 27 '21 at 20:07
  • How did you combine requests in nginx logs and entries in a file premaster.txt? – undying Jul 28 '22 at 14:46
  • @user126093, if i remember correctly you'll need traffic dump for that. You can decrypt traffic dump using premaster.txt and then you'll see ip addresses and http requests which can be traced back to nginx log. – user2586441 Jul 29 '22 at 10:33