aherman
/
proxysql
mirror of https://github.com/sysown/proxysql
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f2db55f0c8'
${ noResults }
proxysql/doc/ssl_keylog/ssl_keylog_user_guide.md

486 lines
13 KiB
Raw Blame History

# SSL/TLS Key Logging - User Guide
## What is SSL/TLS Key Logging?
SSL/TLS key logging is a debugging feature that allows ProxySQL to write TLS encryption secrets to a file. These secrets can be used by network analysis tools like **Wireshark** to decrypt and inspect TLS traffic.
### Why Would You Use This?
This feature is primarily useful for:
- **Debugging TLS connection issues** between clients and ProxySQL
- **Analyzing encrypted traffic** without modifying application code
- **Troubleshooting TLS handshake problems**
- **Performance analysis** of TLS connections
- **Security auditing** of TLS configurations
### Important Security Warning
> **WARNING:** The key log file contains cryptographic secrets that can decrypt ALL TLS traffic. Anyone with access to this file can decrypt your encrypted communications.
>
> **Only enable this feature for debugging purposes.** Disable it in production environments.
---
## Variable Names: Important Distinction
ProxySQL variables belong to **modules**. When referencing a variable from the SQL interface, you must prefix it with the module name.
### SQL Interface (Runtime)
From the ProxySQL admin interface, use the **module prefix**:
```sql
-- Correct: uses admin- prefix for admin module variables
SET admin-ssl_keylog_file = '/var/log/proxysql/sslkeys.txt';
-- Also correct
SET admin-ssl_keylog_file = 'sslkeys.txt';
-- Disable key logging
SET admin-ssl_keylog_file = '';
-- Apply to runtime
LOAD ADMIN VARIABLES TO RUNTIME;
```
### Configuration File
In the configuration file (e.g., `/etc/proxysql.cnf`), variables are grouped by module section:
```ini
# Configuration file format
admin_variables=
{
admin_credentials="admin:admin"
mysql_ifaces="0.0.0.0:6032"
# NO prefix needed in config file - already in admin section
ssl_keylog_file='/var/log/proxysql/sslkeys.txt'
}
mysql_variables=
{
threads=4
max_connections=2048
# ... other mysql variables
}
```
**Key Points:**
- In **SQL commands**: Use `SET admin-ssl_keylog_file = '...'` (with prefix)
- In **config files**: Use `ssl_keylog_file='...'` (no prefix, inside `admin_variables` section)
---
## How to Enable SSL Key Logging
### Method 1: Using SQL Commands (Runtime)
Connect to the ProxySQL admin interface (default port 6032):
```bash
mysql -h 127.0.0.1 -P 6032 -u admin -padmin
```
Then set the variable:
```sql
-- Enable key logging with absolute path
SET admin-ssl_keylog_file = '/var/log/proxysql/sslkeys.txt';
-- Apply to runtime immediately
LOAD ADMIN VARIABLES TO RUNTIME;
-- Verify it's set
SELECT * FROM global_variables WHERE variable_name = 'admin-ssl_keylog_file';
```
### Method 2: Using Configuration File
Edit your ProxySQL configuration file (typically `/etc/proxysql.cnf`):
```ini
admin_variables=
{
admin_credentials="admin:admin"
mysql_ifaces="0.0.0.0:6032"
# Add this line
ssl_keylog_file='/var/log/proxysql/sslkeys.txt'
}
```
Then restart ProxySQL:
```bash
sudo systemctl restart proxysql
# or
sudo service proxysql restart
```
---
## Path Resolution
The `ssl_keylog_file` variable accepts two types of paths:
| Path Type | Format | Example | Resolved To |
|-----------|--------|---------|-------------|
| **Absolute** | Starts with `/` | `/var/log/proxysql/keys.txt` | `/var/log/proxysql/keys.txt` |
| **Relative** | No leading `/` | `sslkeys.txt` | `$DATADIR/sslkeys.txt` |
**Example:**
```sql
-- If ProxySQL data directory is /var/lib/proxysql
SET admin-ssl_keylog_file = 'debug/sslkeys.txt';
-- Resolves to: /var/lib/proxysql/debug/sslkeys.txt
```
---
## Verifying Key Logging
After enabling key logging and generating TLS traffic, verify the key log file:
```bash
# Check if file exists
ls -la /var/log/proxysql/sslkeys.txt
# View contents (should contain secrets!)
cat /var/log/proxysql/sslkeys.txt
```
The file should contain lines like:
```
CLIENT_RANDOM 3a4b5c6d7e8f0123456789abcdef... 48_byte_secret_here...
```
---
## Disabling SSL Key Logging
### Using SQL Commands
```sql
-- Set to empty string to disable
SET admin-ssl_keylog_file = '';
-- Apply to runtime
LOAD ADMIN VARIABLES TO RUNTIME;
```
### Using Configuration File
Remove or comment out the `ssl_keylog_file` line in your config file and restart ProxySQL.
---
## Log Rotation
ProxySQL supports rotating the SSL key log file using the `PROXYSQL FLUSH LOGS` command:
```sql
PROXYSQL FLUSH LOGS;
```
This command:
1. Closes the current key log file
2. Reopens the file for appending
**Note:** The file is reopened in append mode, so existing contents will be preserved. If you want to start with a fresh file, rename/move the old file manually before running `FLUSH LOGS`.
### Manual Log Rotation Example
```bash
# 1. Rename the current key log file
mv /var/log/proxysql/sslkeys.txt /var/log/proxysql/sslkeys.txt.old
# 2. Tell ProxySQL to create a new file
mysql -h 127.0.0.1 -P 6032 -u admin -padmin -e "PROXYSQL FLUSH LOGS;"
# 3. Secure the old file
chmod 600 /var/log/proxysql/sslkeys.txt.old
```
---
## Analyzing TLS Traffic with Key Logs
In production environments, you typically don't run Wireshark directly on the server. Instead, you:
1. Capture traffic to a pcap file using `tcpdump`
2. Copy both the pcap file and key log file to an analysis system
3. Analyze offline using Wireshark (GUI) or tshark (command-line)
### Production Capture Workflow
#### Step 1: Capture Traffic with tcpdump
On the ProxySQL server, capture network traffic to a pcap file:
```bash
# Capture on the interface ProxySQL is listening on (e.g., eth0)
# Replace 6033 with your ProxySQL MySQL port
sudo tcpdump -i eth0 -w /tmp/proxysql_debug.pcap port 6033
# Or capture traffic between specific hosts
sudo tcpdump -i eth0 -w /tmp/proxysql_debug.pcap host client_ip and host proxysql_ip
# Run for a specific duration
sudo timeout 60 tcpdump -i eth0 -w /tmp/proxysql_debug.pcap port 6033
```
**Notes:**
- Use `-i any` to capture on all interfaces if unsure
- The `-w` flag writes to pcap format (binary)
- Capture size is limited by disk space - monitor with `df -h`
#### Step 2: Collect Files for Analysis
Copy both the pcap file and the key log file to your analysis system:
```bash
# On the ProxySQL server
scp /tmp/proxysql_debug.pcap user@analysis-system:/path/to/analysis/
scp /var/log/proxysql/sslkeys.txt user@analysis-system:/path/to/analysis/
# Or archive them together
tar czf proxysql_debug.tar.gz /tmp/proxysql_debug.pcap /var/log/proxysql/sslkeys.txt
```
**Security:** Use secure copy (scp/sftp) and ensure the key log file is transmitted securely, as it contains cryptographic secrets.
#### Step 3: Analyze with Wireshark (GUI)
On your analysis system with Wireshark installed:
1. **Configure TLS key log:**
- Open Wireshark
- Go to **Edit → Preferences → Protocols → TLS** (or **SSL** in older versions)
- Set **"(Pre)-Master-Secret log filename"** to the key log file path
2. **Open the pcap file:**
- File → Open → Select `proxysql_debug.pcap`
- Wireshark will decrypt TLS traffic using the key log file
3. **Filter decrypted traffic:**
```
# Show only MySQL packets
mysql
# Show TLS handshake
tls.handshake.type == 1
# Show decrypted application data
tls.app_data
```
4. **View decrypted content:**
- Right-click on a TLS packet → **Follow → TCP Stream**
- Or right-click → **Follow → TLS Stream** (Wireshark 3.0+)
#### Step 4: Analyze with tshark (Command-Line)
**tshark** is Wireshark's command-line counterpart - useful for servers or headless analysis.
```bash
# Read pcap with TLS decryption using key log file
tshark -r /tmp/proxysql_debug.pcap \
-o tls.keylog_file:/path/to/sslkeys.txt \
-Y "tls" \
-V
# Show only MySQL packets
tshark -r /tmp/proxysql_debug.pcap \
-o tls.keylog_file:/path/to/sslkeys.txt \
-Y "mysql"
# Export decrypted TLS payloads to JSON
tshark -r /tmp/proxysql_debug.pcap \
-o tls.keylog_file:/path/to/sslkeys.txt \
-T json \
-Y "tls.app_data" \
> decrypted.json
# Show summary of decrypted connections
tshark -r /tmp/proxysql_debug.pcap \
-o tls.keylog_file:/path/to/sslkeys.txt \
-q -z tls,tree
```
**Common tshark filters for ProxySQL debugging:**
```bash
# Show TLS handshake details
tshark -r proxysql_debug.pcap -o tls.keylog_file:sslkeys.txt -Y "tls.handshake"
# Show all TLS app data (decrypted MySQL queries/responses)
tshark -r proxysql_debug.pcap -o tls.keylog_file:sslkeys.txt -Y "tls.app_data" -V
# Convert to readable text format
tshark -r proxysql_debug.pcap -o tls.keylog_file:sslkeys.txt -T fields \
-e frame.time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport \
-e tls.app_data.data
# Statistics: TLS sessions by cipher suite
tshark -r proxysql_debug.pcap -o tls.keylog_file:sslkeys.txt -q -z tls,ctext
```
### Alternative: Live Capture with tshark
If you need to monitor traffic in real-time (not recommended for production debugging):
```bash
# Live capture with TLS decryption
sudo tshark -i eth0 -f "port 6033" \
-o tls.keylog_file:/var/log/proxysql/sslkeys.txt \
-Y "tls.app_data" \
-V
```
**Note:** This still requires running on the ProxySQL server. For production, prefer the tcpdump → offline analysis workflow.
---
## Configuration File Reference
### Sample Configuration with Key Logging
```ini
# /etc/proxysql.cnf
datadir="/var/lib/proxysql"
admin_variables=
{
admin_credentials="admin:admin"
mysql_ifaces="0.0.0.0:6032"
# Enable SSL key logging for debugging
ssl_keylog_file='/var/log/proxysql/sslkeys.txt'
}
mysql_variables=
{
threads=4
max_connections=2048
interfaces="0.0.0.0:6033"
default_schema="information_schema"
# ... other mysql variables
}
```
---
## Troubleshooting
### Variable Not Found Error
**Problem:** `ERROR 1045 (28000): Unknown variable 'admin-ssl_keylog_file'`
**Solution:**
- Make sure you're connected to the admin interface (port 6032, not 6033)
- Check that you're using the correct prefix: `admin-ssl_keylog_file`
### File Not Created
**Problem:** The key log file is not being created.
**Solutions:**
1. Check that the directory exists and is writable:
```bash
ls -la /var/log/proxysql
```
2. Check ProxySQL error logs for permission errors
3. Verify the variable is set:
```sql
SELECT * FROM global_variables WHERE variable_name = 'admin-ssl_keylog_file';
```
### No Secrets in File
**Problem:** File exists but is empty or has no secrets.
**Solutions:**
1. Verify TLS is actually being used:
```sql
-- Check if connections are using TLS
SELECT * FROM stats_mysql_connection_pool;
```
2. Make sure clients are connecting with SSL/TLS
3. Check that `admin-ssl_keylog_file` is loaded into runtime:
```sql
LOAD ADMIN VARIABLES TO RUNTIME;
```
### tcpdump Permission Denied
**Problem:** `tcpdump: snaplen: ioctl: Permission denied`
**Solution:** Run tcpdump with sudo:
```bash
sudo tcpdump -i eth0 -w /tmp/capture.pcap port 6033
```
---
## Best Practices
### Security
1. **Never enable in production** unless actively debugging
2. **Set restrictive file permissions:**
```bash
chmod 600 /var/log/proxysql/sslkeys.txt
chown proxysql:proxysql /var/log/proxysql/sslkeys.txt
```
3. **Securely delete old key log files:**
```bash
shred -u /var/log/proxysql/sslkeys.txt.old
```
4. **Monitor file size** - key log files can grow quickly
### Operational
1. **Use absolute paths** to avoid confusion
2. **Document when key logging is enabled** for audit purposes
3. **Rotate regularly** during long debugging sessions
4. **Disable immediately after** debugging is complete
5. **Use tcpdump for production captures** - don't run Wireshark on production servers
---
## Quick Reference
| Context | Variable Name | Example |
|---------|---------------|---------|
| **SQL commands** | `admin-ssl_keylog_file` | `SET admin-ssl_keylog_file = '/path/file.txt';` |
| **Config file** | `ssl_keylog_file` | `ssl_keylog_file='/path/file.txt'` (in `admin_variables` section) |
| Command | Description |
|---------|-------------|
| `SET admin-ssl_keylog_file = '/path/to/file.txt';` | Enable key logging |
| `SET admin-ssl_keylog_file = '';` | Disable key logging |
| `LOAD ADMIN VARIABLES TO RUNTIME;` | Apply changes |
| `PROXYSQL FLUSH LOGS;` | Rotate key log file |
| `SELECT * FROM global_variables WHERE variable_name = 'admin-ssl_keylog_file';` | Check current setting |
| Tool | Use Case |
|------|----------|
| `tcpdump` | Capture traffic to pcap file (production) |
| `tshark` | Analyze pcap files with key log (command-line) |
| `Wireshark` | Analyze pcap files with key log (GUI) |
---
## Additional Resources
- **Developer Documentation:** See `ssl_keylog_developer_guide.md` for implementation details
- **NSS Key Log Format:** https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
- **Wireshark TLS Decryption:** https://wiki.wireshark.org/TLS
- **tshark Manual:** `man tshark` or https://www.wireshark.org/docs/man-pages/tshark.html
- **ProxySQL Configuration:** https://github.com/sysown/proxysql/wiki
Reference in new issue View Git Blame Copy Permalink