Skip to content

allow option for enabling the SSLKEYLOGFILE environment variable #4254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
2ndDerivative wants to merge 3 commits into
base: main
Choose a base branch
from
Open

allow option for enabling the SSLKEYLOGFILE environment variable #4254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fc861db
allow option for enabling the SSLKEYLOGFILE environment variable
2ndDerivative Apr 28, 2026
04a09b2
formatting
2ndDerivative Apr 28, 2026
19cdf10
remove sneaky space
2ndDerivative Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions sqlx-core/src/net/tls/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ impl std::fmt::Display for CertificateInput {
pub struct TlsConfig<'a> {
pub accept_invalid_certs: bool,
pub accept_invalid_hostnames: bool,
pub enable_keylog: bool,
pub hostname: &'a str,
pub root_cert_path: Option<&'a CertificateInput>,
pub client_cert_path: Option<&'a CertificateInput>,
Expand Down
7 changes: 5 additions & 2 deletions sqlx-core/src/net/tls/tls_rustls.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ use rustls::{
pem::{self, PemObject},
CertificateDer, PrivateKeyDer, ServerName, UnixTime,
},
CertificateError, ClientConfig, ClientConnection, Error as TlsError, RootCertStore,
CertificateError, ClientConfig, ClientConnection, Error as TlsError, KeyLogFile, RootCertStore,
};

use crate::error::Error;
Expand Down Expand Up @@ -123,7 +123,7 @@ where
}
};

let config = if tls_config.accept_invalid_certs {
let mut config = if tls_config.accept_invalid_certs {
if let Some(user_auth) = user_auth {
config
.dangerous()
Expand Down Expand Up @@ -179,6 +179,9 @@ where
.with_no_client_auth()
}
};
if tls_config.enable_keylog {
config.key_log = Arc::new(KeyLogFile::new());
}

let host = ServerName::try_from(tls_config.hostname.to_owned()).map_err(Error::tls)?;

Expand Down
1 change: 1 addition & 0 deletions sqlx-mysql/src/connection/tls.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ pub(super) async fn maybe_upgrade<S: Socket>(
root_cert_path: options.ssl_ca.as_ref(),
client_cert_path: options.ssl_client_cert.as_ref(),
client_key_path: options.ssl_client_key.as_ref(),
enable_keylog: options.ssl_enable_keylog,
};

// Request TLS upgrade
Expand Down
10 changes: 10 additions & 0 deletions sqlx-mysql/src/options/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ pub struct MySqlConnectOptions {
pub(crate) ssl_ca: Option<CertificateInput>,
pub(crate) ssl_client_cert: Option<CertificateInput>,
pub(crate) ssl_client_key: Option<CertificateInput>,
pub(crate) ssl_enable_keylog: bool,
pub(crate) statement_cache_capacity: usize,
pub(crate) charset: String,
pub(crate) collation: Option<String>,
Expand Down Expand Up @@ -104,6 +105,7 @@ impl MySqlConnectOptions {
ssl_ca: None,
ssl_client_cert: None,
ssl_client_key: None,
ssl_enable_keylog: false,
statement_cache_capacity: 100,
log_settings: Default::default(),
pipes_as_concat: true,
Expand Down Expand Up @@ -176,6 +178,14 @@ impl MySqlConnectOptions {
self
}

/// Enables the use of the `SSLKEYLOGFILE`` environment variable to export SSL session keys.
///
/// Only works with the `rustls` SSL backend
pub fn ssl_enable_keylog(mut self, enable: bool) -> Self {
self.ssl_enable_keylog = enable;
self
}

/// Sets the name of a file containing a list of trusted SSL Certificate Authorities.
///
/// # Example
Expand Down
1 change: 1 addition & 0 deletions sqlx-postgres/src/connection/tls.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ async fn maybe_upgrade<S: Socket>(
root_cert_path: options.ssl_root_cert.as_ref(),
client_cert_path: options.ssl_client_cert.as_ref(),
client_key_path: options.ssl_client_key.as_ref(),
enable_keylog: options.ssl_enable_keylog,
};

tls::handshake(socket, config, SocketIntoBox).await
Expand Down
10 changes: 10 additions & 0 deletions sqlx-postgres/src/options/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ pub struct PgConnectOptions {
pub(crate) ssl_root_cert: Option<CertificateInput>,
pub(crate) ssl_client_cert: Option<CertificateInput>,
pub(crate) ssl_client_key: Option<CertificateInput>,
pub(crate) ssl_enable_keylog: bool,
pub(crate) statement_cache_capacity: usize,
pub(crate) application_name: Option<String>,
pub(crate) log_settings: LogSettings,
Expand Down Expand Up @@ -92,6 +93,7 @@ impl PgConnectOptions {
.ok()
.and_then(|v| v.parse().ok())
.unwrap_or_default(),
ssl_enable_keylog: false,
statement_cache_capacity: 100,
application_name: var("PGAPPNAME").ok(),
extra_float_digits: Some("2".into()),
Expand Down Expand Up @@ -225,6 +227,14 @@ impl PgConnectOptions {
self
}

/// Enables the use of the `SSLKEYLOGFILE`` environment variable to export SSL session keys.
///
/// Only works with the `rustls` SSL backend
pub fn ssl_enable_keylog(mut self, enable: bool) -> Self {
self.ssl_enable_keylog = enable;
self
}

/// Sets the name of a file containing SSL certificate authority (CA) certificate(s).
/// If the file exists, the server's certificate will be verified to be signed by
/// one of these authorities.
Expand Down
Loading