Pale Moon forum

Normal builds of Palemoon (and Firefox) block 3rd party programs from analyzing SSL traffic, and there's no way to disable that even on a temporary basis. But I thought there was at least one version available that didn't do that. I tried the latest unstable version, but setting SSLKEYLOGFILE didn't do anything.

This is kind of important if I'm going to "report bugs" on the "development version." The browser itself offers almost no information about SSL negotiation, with no way to even view the client keys and randomness, or what ciphers the browser attempts to negotiate. All I can get is "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports," with no information on what TLS version my client supposedly downgraded to. (Ostensibly the reason is to protect our security, and only coincidentally reserves the power of public key encryption only to big corporations.) A program like wireshark can find out that stuff, but it's not part of "the kitchen sink," so without SSLKEYLOGFILE I'm pretty much blocked from using it.

Am I just doing it wrong? I'm pretty sure I spelled the environment variable correctly...

See also:
bug #1183318 and bug #1188657

Because of an NSS update, it's disabled by default on all builds (since they are all built non-debug).

There's the risk of remote exploits on one side, and the (small handful of) people needing this debugging info on the other. It doesn't look like this support can be flipped at run-time because NSS is a stand-alone module. So, this has to be decided at build-time.

See also: viewtopic.php?f=57&t=15080&p=108948&hil ... LE#p108942

EDIT: I'll just enable it on all builds; it's still an opt-in feature needing an env var anyway, so risk is relatively low.

Moonchild wrote:EDIT: I'll just enable it on all builds; it's still an opt-in feature needing an env var anyway, so risk is relatively low.

Oh, really? Thank you! Personally I think it doesn't decrease security at all, because if someone can break into your account, they can change your config files to launch their corrupted version of the browser anyway. Not really something applications can be expected to police.

Like I said, risk is relatively low. There are a few scenarios where a system doesn't have to be compromised itself to get environment variables set in it, but yes, those are corner cases anyway And in general, you'd expect people to have more serious issues.

The current unstable should have keylogging as an option. If you can test it, that would be great.