plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter (#7537)

* tls: Add the keylog option to configure TLSConfig.KeyLogWriter Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> * tls: Close keylog file on instance shutdown. Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> --------- Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com>
2026-04-07 20:45:32 -04:00 · 2026-03-27 12:10:13 -07:00
parent 471d62926d
commit a8caf4c375
3 changed files with 74 additions and 0 deletions
--- a/plugin/tls/README.md
+++ b/plugin/tls/README.md
@@ -27,6 +27,7 @@ Parameter CA is optional. If not set, system CAs can be used to verify the clien
 ~~~ txt
 tls CERT KEY [CA] {
    client_auth nocert|request|require|verify_if_given|require_and_verify
+    keylog FILE
 }
 ~~~

@@ -35,6 +36,9 @@ The option value corresponds to the [ClientAuthType values of the Go tls package
 The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is
 set to verify\_if\_given or require\_and\_verify.

+The keylog can be specified to export TLS master secrets in key log format to allow external programs
+to decrypt TLS connections. It compromises security and should only be used for debugging!
+
 ## Examples

 Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the