Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC

Bug 587116

Summary: >=dev-libs/nss-3.24 - Add USE flag to enable SSL key logging
Product: Gentoo Linux Reporter: miro.rovis
Component: Current packagesAssignee: Mozilla Gentoo Team <mozilla>
Severity: minor CC: whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: nss-3.24-allow-sslkeylogfile.patch

Description miro.rovis 2016-06-26 08:39:10 UTC
Created attachment 438836 [details, diff]

To get SSLKEYLOGFIE logging it is necessary to set use flag debug for www-client/firefox-47.0 and to patch ebuild for dev-libs/nss-3.24. It would be more convenient to offer a choice via ad hoc use flags.

Detailed report follows.

I have recently discovered that the logging of SSL keys does not work as it has for years in firefox, from www-client/firefox-47.0 and/or from dev-libs/nss-3.24 .

The reasons and solutions to get that logging back, are of course, on Mozilla pages such as:

(only fairly *recently* updated with those reasons and solutions).

So setting a line like this in package.use :

# grep firefox /etc/portage/package.use 
www-client/firefox debug            # ... and other use flags ...
and reinstalling firefox,

and preparing a patch like this:

# cat nss-3.24-allow-sslkeylogfile.patch

and then:

# patch nss-3.24.ebuild < nss-3.24-allow-sslkeylogfile.patch
# mv -vi nss-3.24.ebuild  nss-3.24-r1.ebuild
or just adding into the copy of that ebuild another one line, this one:
into the bunch of "export ..." lines and renaming that ebuild

and then moving that nss-3.24-r1.ebuild in my local overlay, and reinstalling dev-libs/nss, I now have the SSLKEYLOGFILE functionality back.

But it would be great to have an optional use flag to allow ssl key logging in dev-libs/nss, and it would be great to not have to go for the huge debugging installation of firefox to get it to use nss to log SSL keys, by being able to set a use flag for an optimized build (without setting the debug use flag).

A fraction of users will certainly need a more convenient solution to this, so I thought I'd post this as a bug report, even though there is nothing wrong in the Mozilla's unshipping of the SSLKEYLOGFILE logging.

I don't see how my particular architecture matters in this case, because this story is the same in all architectures, so not posting emerge --info.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-06-30 11:40:16 UTC

> Disable (by default) NSS support in optimized builds for logging
> SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment
> variable is set. To enable the functionality in optimized builds, you
> must define the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
Comment 2 miro.rovis 2016-07-08 12:21:55 UTC
Created attachment 440042 [details, diff]

It is possible to have SSLKEYLOGFILE logging and the optimized Firefox build,
and without use of the local overlay.

But by use of this small patch (see the attachment):

Set the /etc/portage/bashrc exactly as currently on:
 ( precisely:
 but the local link names in that wiki page need fixing)

Create dir:
mkdir -pv /etc/portage/patches/dev-libs/nss-3.25/
mv -iv nss-3.25-allow-sslkeylogfile.patch \

Next, when:
emerge -1 nss
, there should be a line at the start:
* "User patches applied.
(only that non-verbose notice, but the patch is applied)

And there should be, at the later stretch of compile, the
-DNSS_ALLOW_SSLKEYLOGFILE=1 added to lots of lines of the compilation.

After nss has compiled, Firefox can be recompiled without the debug useflag,
and all the network will have the secrets logs, as set with that env variable.

It will be great when we get a useflag for this functionality!

Miroslav Rovis
Zagreb, Croatia
Comment 3 Jory A. Pratt gentoo-dev 2017-08-26 17:57:02 UTC
If you feel I have closed your bug and it is still a current issue, please reopen and update it completely. We will not work bugs that have no ebuild in tree any longer or can not be reproduced with a current system.

Thank You for your support and understanding
The Mozilla Team