Add SSLKEYLOGFILE support
This MR implements TLS pre-master secret logging using the libisc logging framework. Doing it this way enables us to get size limiting and file rotation "for free" at the cost of additional locking done by libisc logging contexts. (Credit to @pspacek for originally coming up with this idea!)
As setting the SSLKEYLOGFILE environment variable is the de facto
standard way of exporting TLS pre-master secrets from a piece of
software (this method is supported by Firefox, Chrome, Apache, GnuTLS,
curl, and Python, to name a few), this MR proposes to use that variable
in the same manner.
Since the proposed defaults may not be appropriate in certain cases, this MR also allows custom logging configuration to be provided for TLS pre-master secrets.
Indirectly, this MR also enables TLS pre-master secret logging to be
enabled/disabled at runtime (by changing the logging stanza and
running rndc reconfig).
While this approach is arguably far from perfect, it appears to be checking off a lot of boxes:
-
it is simple to employ for one-off experiments while still allowing more complex configurations when necessary,
-
it makes BIND 9 behave similarly to other software out there,
-
it should be simple to review.
We really need some way of doing this in BIND 9.18. More
user-friendly additions which are deemed useful in the long run (e.g.
rndc commands) can always be implemented after further discussions,
which should take place when we are not under time pressure.
Closes #2723 (closed)