1

I am trying to setup SSL key logging with Apache 2.4 on Ubuntu 22.04.

I followed the very good Walkthrough provided by Lekensteyn in this post: Extracting openssl pre-master secret from apache2

What I have found is that the key logging does not work when the Apache PHP 7.4 module is enabled. After starting Apache with php enabled, I immediately see the keylog file being created even though the server has received no SSL traffic. When ssl traffic is received nothing is written to the file.

With the php module disabled the key logging works as expected. The keylog file is not created until the server receives some SSL traffic.

I have been unable to find a resolution or work around for this issue, other than disabling the module. Unfortunately I need the php module enabled. There is a comment from Chris Holt on the original answer that indicates he had an issue with with a mysqlclient library that was part of the PHP module. That is how I found that the PHP module was causing my issue. However his issue was in relation to OpenSSL 1.0.2. He resolved the issue by modifying the sslkeylog.c(I believe) and recompiling.

Since I’m not a developer, modifying the source is not really an option for me.

Any suggestions on how to make the key logging work with Apache 2.4 and the PHP7.4 module would be greatly appreciated.

Improve this question

    1 Answer 1

    Reset to default
    1

    After more testing I found that the PHP 7.4 module was causing the key log file to be created with the wrong ownership(root.root). My guess is that the PHP module is triggering the creation of the log file before the Apache process drops permissions and switches to the www-data user.

    My solution is to simply create the key log file and set permission(664) and ownership(root.www-data) before enabling the key logging in Apache. Apache will then simply append to the existing file. To simplify the process I created a small bash script that sets the key log file name, creates the file with correct permissions and ownership and then restarts apache to apply the new settings.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.