Re: Log pre-master keys during TLS v1.3 handshake

> On 5 Feb 2024, at 22:38, Максим Чистяков <gods(dot)like(dot)you(at)gmail(dot)com> wrote:
>
> Is there a way to save the pre-master keys which are encrypted TLS handshake between PostgreSQL server and psql client due to a TLS handshake?
> For example, in a Chrome you can save those keys due to connecting through HTTPS with option --ssl-key-log-file or an environment variable SSLKEYLOGFILE (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkvECAQ&lang=en_US%E2%80%A9)
> I need the similar feature, at least in psql client (ideally, on the postgresql server side too).
>
> Why I need this:
> I'm debugging TLS connection to postgres from a rust application, used postgres-native-tls library. A psql client makes a successful TLS v1.3 connection, but my based on postgres-native-tls client fails with an "error performing TLS handshake" message. I want to dump tcp trafic, and analyze it in the Wireshark, what exactly certificates exchanged between the psql and Postgresql (succeeded TLS session), then between postgres-native-tls and postgres, and then to compare them. Buuut... to view the certificates in Wireshark, you need the TLS pre-master keys to decrypt the Encrypted Extensions packets.

There is no such thing, adding it yourself and debug your application using a
custom build is probably your best option.

--
Daniel Gustafsson