Last active
November 13, 2025 11:53
-
-
Save phemmer/31e89d1a3823230de1e1c47386ff508b to your computer and use it in GitHub Desktop.
haproxy log SSL master key
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| lua-load haproxy.lua | |
| frontend X | |
| tcp-request session set-var(sess.ssl_session_id) ssl_fc_session_id,hex if { ssl_fc } | |
| tcp-request content lua.ssl-log-key if { ssl_fc } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| core.register_action("ssl-log-key", { "tcp-req", "http-req" }, function(txn) | |
| local dolog = false | |
| local ssl_session_id = txn.sc:hex(txn.sf:ssl_fc_session_id()) | |
| local ssl_session_id_var = txn:get_var("sess.ssl_session_id") | |
| if ssl_session_id then | |
| if not ssl_session_id_var or ssl_session_id ~= ssl_session_id_var then | |
| dolog = true | |
| txn:set_var("sess.ssl_session_id", ssl_session_id) | |
| end | |
| elseif ssl_session_id_var then | |
| ssl_session_id = ssl_session_id_var | |
| end | |
| local ssl_session_key = txn.sc:hex(txn.sf:ssl_fc_session_key()) | |
| local ssl_session_key_var = txn:get_var("sess.ssl_session_key") | |
| if ssl_session_key then | |
| if not ssl_session_key_var or ssl_session_key ~= ssl_session_key_var then | |
| dolog = true | |
| txn:set_var("sess.ssl_session_key", ssl_session_key) | |
| end | |
| elseif ssl_session_key_var then | |
| ssl_session_id = ssl_session_key_var | |
| end | |
| if dolog then | |
| local src = txn.sf:src() .. ":" .. txn.sf:src_port() | |
| local dst = txn.sf:dst() .. ":" .. txn.sf:dst_port() | |
| -- The formats supported by wireshark can be found here: | |
| -- https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209 | |
| txn:log(core.debug, "SSL " .. src .. "/" .. dst .. " RSA Session-ID:" .. ssl_session_id .. " Master-Key:" .. ssl_session_key) | |
| end | |
| end) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I couldn't find the original commit or line number, but if it may be of help I did find that modern wireshark has a hint when you hover with the mouse on on the secret keys log filename:
Transcription:
The name of a file which contains a list of (pre-)master secrets in one of the following formats:
RSA
RSA Session-ID: Master-Key:
CLIENT_RANDOM
PMS_CLIENT_RANDOM
Where:
= First 8 bytes of the Encrypted PMS
= The Pre-Master-Secret (PMS) used to derive the MS
= The SSL Session ID
= The Master-Secret (MS)
= The Client's random number from the ClientHello message
(All fields are in hex notation)
tls.keylog_file
Unfortunately, the dumping of keys also only works for me with TLS1.2, but even if they are dumped in the logs Wireshark doesn't show the clear text traffic yet.