Latest Unstable doesn't enable SSL debugging

Support and discussions for the x86/x64 Linux version of Pale Moon.

Moderators: trava90, satrow

cyisfor
Newbie
Newbie
Posts: 5
Joined: Tue Jul 11, 2017 9:09 pm

Latest Unstable doesn't enable SSL debugging

Postby cyisfor » Sat Aug 05, 2017 9:25 pm

Normal builds of Palemoon (and Firefox) block 3rd party programs from analyzing SSL traffic, and there's no way to disable that even on a temporary basis. But I thought there was at least one version available that didn't do that. I tried the latest unstable version, but setting SSLKEYLOGFILE didn't do anything.

This is kind of important if I'm going to "report bugs" on the "development version." The browser itself offers almost no information about SSL negotiation, with no way to even view the client keys and randomness, or what ciphers the browser attempts to negotiate. All I can get is "The server rejected the handshake because the client downgraded to a lower TLS version than the server supports," with no information on what TLS version my client supposedly downgraded to. (Ostensibly the reason is to protect our security, and only coincidentally reserves the power of public key encryption only to big corporations.) A program like wireshark can find out that stuff, but it's not part of "the kitchen sink," so without SSLKEYLOGFILE I'm pretty much blocked from using it.

Am I just doing it wrong? I'm pretty sure I spelled the environment variable correctly...

GMforker
Lunatic
Lunatic
Posts: 414
Joined: Thu Aug 27, 2015 6:29 am
Location: Czech Republic

Re: Latest Unstable doesn't enable SSL debugging

Postby GMforker » Sun Aug 06, 2017 3:23 am


User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20063
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Latest Unstable doesn't enable SSL debugging

Postby Moonchild » Sun Aug 06, 2017 9:32 am

Because of an NSS update, it's disabled by default on all builds (since they are all built non-debug).

There's the risk of remote exploits on one side, and the (small handful of) people needing this debugging info on the other. It doesn't look like this support can be flipped at run-time because NSS is a stand-alone module. So, this has to be decided at build-time.

See also: viewtopic.php?f=57&t=15080&p=108948&hilit=SSLKEYLOGFILE#p108942

EDIT: I'll just enable it on all builds; it's still an opt-in feature needing an env var anyway, so risk is relatively low.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

cyisfor
Newbie
Newbie
Posts: 5
Joined: Tue Jul 11, 2017 9:09 pm

Re: Latest Unstable doesn't enable SSL debugging

Postby cyisfor » Sun Aug 06, 2017 10:58 pm

Moonchild wrote:EDIT: I'll just enable it on all builds; it's still an opt-in feature needing an env var anyway, so risk is relatively low.
Oh, really? Thank you! Personally I think it doesn't decrease security at all, because if someone can break into your account, they can change your config files to launch their corrupted version of the browser anyway. Not really something applications can be expected to police.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20063
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Latest Unstable doesn't enable SSL debugging

Postby Moonchild » Mon Aug 07, 2017 12:44 am

Like I said, risk is relatively low. There are a few scenarios where a system doesn't have to be compromised itself to get environment variables set in it, but yes, those are corner cases anyway ;) And in general, you'd expect people to have more serious issues.

The current unstable should have keylogging as an option. If you can test it, that would be great.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.


Return to “Pale Moon for Linux”

Who is online

Users browsing this forum: Moz [Crawler] and 6 guests