From 91a06eca31e3edc76309da2fa07e474655794845 Mon Sep 17 00:00:00 2001 From: Seo Suchan Date: Tue, 21 Oct 2025 14:22:46 +0900 Subject: [PATCH 1/3] add sslkeylogfile support for pebble allows low level debug of client without modifying client's source code --- cmd/pebble/main.go | 26 ++++++++++++++++++++++---- test/config/pebble-config.json | 1 + 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/cmd/pebble/main.go b/cmd/pebble/main.go index 5c86247c..acf6f16c 100644 --- a/cmd/pebble/main.go +++ b/cmd/pebble/main.go @@ -1,8 +1,10 @@ package main import ( + "crypto/tls" "flag" "fmt" + "io" "log" "net/http" "os" @@ -27,6 +29,7 @@ type config struct { TLSPort int Certificate string PrivateKey string + SSLKeyLogFile string OCSPResponderURL string // Require External Account Binding for "newAccount" requests ExternalAccountBindingRequired bool @@ -162,13 +165,28 @@ func main() { logger.Print("Management interface is disabled") } + var ssllog io.Writer + ssllogfile, err := os.OpenFile(c.Pebble.SSLKeyLogFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + ssllog = nil + } else { + logger.Printf("TLS session key of Pebble will be logged at %s", c.Pebble.SSLKeyLogFile) + ssllog = ssllogfile + defer ssllogfile.Close() + } + pebbleserver := http.Server{ + TLSConfig: &tls.Config{ + KeyLogWriter: ssllog, + }, + Addr: c.Pebble.ListenAddress, + Handler: muxHandler, + } + logger.Printf("Listening on: %s\n", c.Pebble.ListenAddress) logger.Printf("ACME directory available at: https://%s%s", c.Pebble.ListenAddress, wfe.DirectoryPath) - err = http.ListenAndServeTLS( - c.Pebble.ListenAddress, + err = pebbleserver.ListenAndServeTLS( c.Pebble.Certificate, - c.Pebble.PrivateKey, - muxHandler) + c.Pebble.PrivateKey) cmd.FailOnError(err, "Calling ListenAndServeTLS()") } diff --git a/test/config/pebble-config.json b/test/config/pebble-config.json index fc738ecc..7b39b15f 100644 --- a/test/config/pebble-config.json +++ b/test/config/pebble-config.json @@ -4,6 +4,7 @@ "managementListenAddress": "0.0.0.0:15000", "certificate": "test/certs/localhost/cert.pem", "privateKey": "test/certs/localhost/key.pem", + "sslKeyLogFile": "", "httpPort": 5002, "tlsPort": 5001, "ocspResponderURL": "", From 3a6237e0d932871ee3dfcd1ba462f7fc43349911 Mon Sep 17 00:00:00 2001 From: Seo Suchan Date: Thu, 23 Oct 2025 15:53:36 +0900 Subject: [PATCH 2/3] use standard env variable instead of config file option --- cmd/pebble/main.go | 2 +- test/config/pebble-config.json | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/cmd/pebble/main.go b/cmd/pebble/main.go index acf6f16c..931dae92 100644 --- a/cmd/pebble/main.go +++ b/cmd/pebble/main.go @@ -166,7 +166,7 @@ func main() { } var ssllog io.Writer - ssllogfile, err := os.OpenFile(c.Pebble.SSLKeyLogFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + ssllogfile, err := os.OpenFile(os.Getenv("SSLKEYLOGFILE"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) if err != nil { ssllog = nil } else { diff --git a/test/config/pebble-config.json b/test/config/pebble-config.json index 7b39b15f..fc738ecc 100644 --- a/test/config/pebble-config.json +++ b/test/config/pebble-config.json @@ -4,7 +4,6 @@ "managementListenAddress": "0.0.0.0:15000", "certificate": "test/certs/localhost/cert.pem", "privateKey": "test/certs/localhost/key.pem", - "sslKeyLogFile": "", "httpPort": 5002, "tlsPort": 5001, "ocspResponderURL": "", From 2354dd5004e8f6c112632c633a008ed38f331c46 Mon Sep 17 00:00:00 2001 From: Seo Suchan Date: Thu, 23 Oct 2025 20:45:58 +0900 Subject: [PATCH 3/3] lint fix --- cmd/pebble/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/pebble/main.go b/cmd/pebble/main.go index 931dae92..82244924 100644 --- a/cmd/pebble/main.go +++ b/cmd/pebble/main.go @@ -166,7 +166,7 @@ func main() { } var ssllog io.Writer - ssllogfile, err := os.OpenFile(os.Getenv("SSLKEYLOGFILE"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + ssllogfile, err := os.OpenFile(os.Getenv("SSLKEYLOGFILE"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600) if err != nil { ssllog = nil } else {