Latest Unstable doesn't enable SSL debugging

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
cyisfor

Latest Unstable doesn't enable SSL debugging

Unread post by cyisfor » 2017-08-05, 21:25

Normal builds of Palemoon (and Firefox) block 3rd party programs from analyzing SSL traffic, and there's no way to disable that even on a temporary basis. But I thought there was at least one version available that didn't do that. I tried the latest unstable version, but setting SSLKEYLOGFILE didn't do anything.

This is kind of important if I'm going to "report bugs" on the "development version." The browser itself offers almost no information about SSL negotiation, with no way to even view the client keys and randomness, or what ciphers the browser attempts to negotiate. All I can get is "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports," with no information on what TLS version my client supposedly downgraded to. (Ostensibly the reason is to protect our security, and only coincidentally reserves the power of public key encryption only to big corporations.) A program like wireshark can find out that stuff, but it's not part of "the kitchen sink," so without SSLKEYLOGFILE I'm pretty much blocked from using it.

Am I just doing it wrong? I'm pretty sure I spelled the environment variable correctly...


User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Latest Unstable doesn't enable SSL debugging

Unread post by Moonchild » 2017-08-06, 09:32

Because of an NSS update, it's disabled by default on all builds (since they are all built non-debug).

There's the risk of remote exploits on one side, and the (small handful of) people needing this debugging info on the other. It doesn't look like this support can be flipped at run-time because NSS is a stand-alone module. So, this has to be decided at build-time.

See also: viewtopic.php?f=57&t=15080&p=108948&hil ... LE#p108942

EDIT: I'll just enable it on all builds; it's still an opt-in feature needing an env var anyway, so risk is relatively low.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

cyisfor

Re: Latest Unstable doesn't enable SSL debugging

Unread post by cyisfor » 2017-08-06, 22:58

Moonchild wrote:EDIT: I'll just enable it on all builds; it's still an opt-in feature needing an env var anyway, so risk is relatively low.
Oh, really? Thank you! Personally I think it doesn't decrease security at all, because if someone can break into your account, they can change your config files to launch their corrupted version of the browser anyway. Not really something applications can be expected to police.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Latest Unstable doesn't enable SSL debugging

Unread post by Moonchild » 2017-08-07, 00:44

Like I said, risk is relatively low. There are a few scenarios where a system doesn't have to be compromised itself to get environment variables set in it, but yes, those are corner cases anyway ;) And in general, you'd expect people to have more serious issues.

The current unstable should have keylogging as an option. If you can test it, that would be great.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked