Bug 587116

Summary:	>=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
Product:	Gentoo Linux	Reporter:	miro.rovis
Component:	Current packages	Assignee:	Mozilla Gentoo Team <mozilla>
Status:	RESOLVED OBSOLETE
Severity:	minor	CC:	whissi
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	nss-3.24-allow-sslkeylogfile.patch nss-3.25-allow-sslkeylogfile.patch

Description miro.rovis 2016-06-26 08:39:10 UTC

Created attachment 438836 [details, diff]
nss-3.24-allow-sslkeylogfile.patch

To get SSLKEYLOGFIE logging it is necessary to set use flag debug for www-client/firefox-47.0 and to patch ebuild for dev-libs/nss-3.24. It would be more convenient to offer a choice via ad hoc use flags.

Detailed report follows.

I have recently discovered that the logging of SSL keys does not work as it has for years in firefox, from www-client/firefox-47.0 and/or from dev-libs/nss-3.24 .

The reasons and solutions to get that logging back, are of course, on Mozilla pages such as:

https://bugzilla.mozilla.org/show_bug.cgi?id=1183318
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables

(only fairly *recently* updated with those reasons and solutions).

So setting a line like this in package.use :

# grep firefox /etc/portage/package.use 
www-client/firefox debug            # ... and other use flags ...
# 
and reinstalling firefox,

and preparing a patch like this:

# cat nss-3.24-allow-sslkeylogfile.patch
186a187
> 	export NSS_ALLOW_SSLKEYLOGFILE=1
#

and then:

# patch nss-3.24.ebuild < nss-3.24-allow-sslkeylogfile.patch
# mv -vi nss-3.24.ebuild  nss-3.24-r1.ebuild
(
or just adding into the copy of that ebuild another one line, this one:
 	export NSS_ALLOW_SSLKEYLOGFILE=1
into the bunch of "export ..." lines and renaming that ebuild
)

and then moving that nss-3.24-r1.ebuild in my local overlay, and reinstalling dev-libs/nss, I now have the SSLKEYLOGFILE functionality back.

But it would be great to have an optional use flag to allow ssl key logging in dev-libs/nss, and it would be great to not have to go for the huge debugging installation of firefox to get it to use nss to log SSL keys, by being able to set a use flag for an optimized build (without setting the debug use flag).

A fraction of users will certainly need a more convenient solution to this, so I thought I'd post this as a bug report, even though there is nothing wrong in the Mozilla's unshipping of the SSLKEYLOGFILE logging.

I don't see how my particular architecture matters in this case, because this story is the same in all architectures, so not posting emerge --info.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-06-30 11:40:16 UTC

From https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes#Notable_changes_in_NSS_3.24:

> Disable (by default) NSS support in optimized builds for logging
> SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment
> variable is set. To enable the functionality in optimized builds, you
> must define the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.

Comment 2 miro.rovis 2016-07-08 12:21:55 UTC

Created attachment 440042 [details, diff]
nss-3.25-allow-sslkeylogfile.patch

It is possible to have SSLKEYLOGFILE logging and the optimized Firefox build,
and without use of the local overlay.

But by use of this small patch (see the attachment):
nss-3.25-allow-sslkeylogfile.patch

Set the /etc/portage/bashrc exactly as currently on:
https://wiki.gentoo.org/wiki//etc/portage/patches
 ( precisely:
 https://wiki.gentoo.org/wiki//etc/portage/patches#Enabling_.2Fetc.2Fportage.2Fpatches_for_all_ebuilds
 but the local link names in that wiki page need fixing)

Create dir:
mkdir -pv /etc/portage/patches/dev-libs/nss-3.25/
and:
mv -iv nss-3.25-allow-sslkeylogfile.patch \
	/etc/portage/patches/dev-libs/nss-3.25/

Next, when:
emerge -1 nss
, there should be a line at the start:
* "User patches applied.
(only that non-verbose notice, but the patch is applied)

And there should be, at the later stretch of compile, the
-DNSS_ALLOW_SSLKEYLOGFILE=1 added to lots of lines of the compilation.

After nss has compiled, Firefox can be recompiled without the debug useflag,
and all the network will have the secrets logs, as set with that env variable.

It will be great when we get a useflag for this functionality!

Regards!
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Comment 3 Jory A. Pratt gentoo-dev

2017-08-26 17:57:02 UTC

If you feel I have closed your bug and it is still a current issue, please reopen and update it completely. We will not work bugs that have no ebuild in tree any longer or can not be reproduced with a current system.

Thank You for your support and understanding
The Mozilla Team