Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.7
Component/s: openssl
Labels:
- Accepted
- CY25Q2
- rn-yml

Fixed in Build:
openssl-3.5.0-2.el9
Regression:
No
Severity:
Low
Epic Link:
CRYPTO-15944
sprint_count:
1

AssignedTeam:
rhel-security-crypto
Sub-System Group:

ssg_security

Dev Target Milestone:
19
Internal Target Milestone:
20
Story Points:
0.1
ACKs Check:

QE ack, Dev ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25Q2

Acceptance Criteria:

Hide

AC1) enable-sslkeylog is present as a build option when we are building OpenSSL. [one-off manual verification]

AC2) When SSLKEYLOGFILE environment variable is used, a file with the TLS connection secrets is created. [automated testing, /CoreOS/openssl/Regression/RHEL-90853-Enable-sslkeylogfile-support]

Show
AC1) enable-sslkeylog is present as a build option when we are building OpenSSL. [one-off manual verification] AC2) When SSLKEYLOGFILE environment variable is used, a file with the TLS connection secrets is created. [automated testing, /CoreOS/openssl/Regression/RHEL-90853-Enable-sslkeylogfile-support]
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148294
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Feature
Release Note Text:

Hide
.OpenSSL supports `sslkeylogfile`

OpenSSL supports the `sslkeylogfile` format for TLS. As a result, you can log all secrets produced by SSL connections by setting the `SSLKEYLOGFILE` environment variable.

[IMPORTANT]
Enabling the `SSLKEYLOGFILE` variable poses an explicit security risk. Recording the exchanged keys during an SSL session allows anyone with read access to the file to decrypt application traffic sent over that session. Use this feature only in test and debug environments.

Show
.OpenSSL supports `sslkeylogfile` OpenSSL supports the `sslkeylogfile` format for TLS. As a result, you can log all secrets produced by SSL connections by setting the `SSLKEYLOGFILE` environment variable. [IMPORTANT] Enabling the `SSLKEYLOGFILE` variable poses an explicit security risk. Recording the exchanged keys during an SSL session allows anyone with read access to the file to decrypt application traffic sent over that session. Use this feature only in test and debug environments.
Release Note Status:
Done
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

With the rebase to OpenSSL 3.5, we can enable support for the SSLKEYLOGFILE environment variable to log TLS connection secrets through the build configuration option enable-sslkeylog.

We want this build option by default.

links to

RHBA-2025:148294 openssl bug fix and enhancement update

Assignee:: Dmitry Belyavskiy

Reporter:: Dmitry Belyavskiy

Developer:: Dmitry Belyavskiy

QA Contact:: Conor Tull

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/05/12 7:08 PM

Updated:: 2025/09/25 3:22 PM

Dev Target end:: 2025/07/07

Target end:: 2025/07/14

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide