Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2026-04-08 21:15:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter (#7537)

Browse Source 
* tls: Add the keylog option to configure TLSConfig.KeyLogWriter

Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com>

* tls: Close keylog file on instance shutdown.

Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com>

---------

Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com>
This commit is contained in:
Ilya Kulakov
2026-03-27 12:10:13 -07:00
committed by GitHub
parent 471d62926d
commit a8caf4c375
3 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
plugin/tls/tls.go
View File

@@ -2,14 +2,18 @@ package tls
import (
ctls "crypto/tls"
"os"
"path/filepath"
"github.com/coredns/caddy"
"github.com/coredns/coredns/core/dnsserver"
"github.com/coredns/coredns/plugin"
clog "github.com/coredns/coredns/plugin/pkg/log"
"github.com/coredns/coredns/plugin/pkg/tls"
)
var log = clog.NewWithPlugin("tls")
func init() { plugin.Register("tls", setup) }
func setup(c *caddy.Controller) error {
@@ -33,6 +37,7 @@ func parseTLS(c *caddy.Controller) error {
return plugin.Error("tls", c.ArgErr())
}
clientAuth := ctls.NoClientCert
var keyLog string
for c.NextBlock() {
switch c.Val() {
case "client_auth":
@@ -54,6 +59,15 @@ func parseTLS(c *caddy.Controller) error {
default:
return c.Errf("unknown authentication type '%s'", authTypeArgs[0])
}
case "keylog":
args := c.RemainingArgs()
if len(args) != 1 {
return c.ArgErr()
}
keyLog = args[0]
if !filepath.IsAbs(keyLog) && config.Root != "" {
keyLog = filepath.Join(config.Root, keyLog)
}
default:
return c.Errf("unknown option '%s'", c.Val())
}
@@ -71,6 +85,23 @@ func parseTLS(c *caddy.Controller) error {
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
tls.ClientCAs = tls.RootCAs
if len(keyLog) > 0 {
absKeyLog, err := filepath.Abs(keyLog)
if err != nil {
return c.Errf("unable to write TLS Key Log to %q: %s", keyLog, err)
}
f, err := os.OpenFile(absKeyLog, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
if err != nil {
return c.Errf("unable to write TLS Key Log to %q: %s", absKeyLog, err)
}
c.OnShutdown(func() error {
f.Close()
return nil
})
tls.KeyLogWriter = f
log.Warningf("Writing TLS Key Log to %q\n", absKeyLog)
}
config.TLSConfig = tls
}
return nil