Add log for tls diffie–hellman ephemeral key

eggheads · Nov 28, 2023 · e393d3a · e393d3a
1 parent 322bddb
commit e393d3a
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/src/tls.c b/src/tls.c
@@ -739,7 +739,8 @@ static void ssl_info(const SSL *ssl, int where, int ret)
   const
 #endif
   SSL_CIPHER *cipher;
-  int secret, processed;
+  int secret, processed, i;
+  EVP_PKEY *key;
 
   if (!(data = (ssl_appdata *) SSL_get_app_data(ssl)))
     return;
@@ -770,15 +771,23 @@ static void ssl_info(const SSL *ssl, int where, int ret)
     /* Display cipher information */
     cipher = SSL_get_current_cipher(ssl);
     processed = SSL_CIPHER_get_bits(cipher, &secret);
-    putlog(LOG_DEBUG, "*", "TLS: cipher used: %s %s; %d bits (%d secret)",
-           SSL_CIPHER_get_name(cipher), SSL_get_version(ssl),
-           processed, secret);
+    putlog(LOG_DEBUG, "*", "TLS: cipher used: %s, %d of %d secret bits used for cipher, %s",
+           SSL_CIPHER_get_name(cipher), processed, secret, SSL_get_version(ssl));
     /* secret are the actually secret bits. If processed and secret differ,
        the rest of the bits are fixed, i.e. for limited export ciphers */
 
     /* More verbose information, for debugging only */
     SSL_CIPHER_description(cipher, buf, sizeof buf);
+    i = strlen(buf);
+    if ((i > 0) && (buf[i - 1]) == '\n')
+      buf[i - 1] = 0;
     debug1("TLS: cipher details: %s", buf);
+
+    if (SSL_get_server_tmp_key((SSL *) ssl, &key)) {
+      putlog(LOG_DEBUG, "*", "TLS: diffie–hellman ephemeral key used: %s, bits %d",
+             OBJ_nid2sn(EVP_PKEY_id(key)), EVP_PKEY_bits(key));
+      EVP_PKEY_free(key);
+    }
   } else if (where & SSL_CB_ALERT) {
     if (strcmp(SSL_alert_type_string(ret), "W") ||
         strcmp(SSL_alert_desc_string(ret), "CN")) {