extracting master-key for wireshark using JsseProvider

47 views
Skip to first unread message

Elhanan Maayan

unread,
Aug 26, 2022, 9:00:01 AM8/26/22
to grpc.io
hi.. 
if i understand correctly if i wish to extract the master key for wireshark sniffing 
i need to use this:
GrpcSslContexts.configure(sslContextBuilder, Security.getProvider("SunJSSE"));

are there any major differences between using the default provider  vs using SunJSSE? 
performance? security ?
is there a way to configure the provider externally via system property? 

Eric Anderson

unread,
Aug 29, 2022, 12:39:42 PM8/29/22
to Elhanan Maayan, grpc.io
On Fri, Aug 26, 2022 at 6:00 AM Elhanan Maayan <elh.m...@gmail.com> wrote:
if i understand correctly if i wish to extract the master key for wireshark sniffing 
i need to use this:
GrpcSslContexts.configure(sslContextBuilder, Security.getProvider("SunJSSE"));

FYI, there was a PR to support master key logging for other providers, but it was reverted.

are there any major differences between using the default provider  vs using SunJSSE? 
performance? security ?
is there a way to configure the provider externally via system property?

The default provider isn't a java.security.Provider. The default is a SslProvider enum value (a configure() overload) of OPENSSL. It uses netty-tcnative which can use openssl, boringssl, and libressl. The build we recommend is boringssl-based (and this is included in grpc-netty-shaded). So the implementation is quite different. However, for users on Java 11+, using SunJSSE should be fine. SunJSSE was unusable in Java 7 and had poor AES GCM performance in Java 8. I suspect Java 11 performance is close enough that many users wouldn't notice a difference.

You can use `-Dio.netty.transport.noNative=true` or `-Dio.grpc.netty.shaded.io.netty.transport.noNative=true` to disable loading tcnative, depending on whether you are using grpc-netty or grpc-netty-shaded, respectively.

Eric Anderson

unread,
Aug 29, 2022, 1:35:44 PM8/29/22
to Elhanan Maayan, grpc.io
On Mon, Aug 29, 2022 at 9:39 AM Eric Anderson <ej...@google.com> wrote:
You can use `-Dio.netty.transport.noNative=true` or `-Dio.grpc.netty.shaded.io.netty.transport.noNative=true` to disable loading tcnative, depending on whether you are using grpc-netty or grpc-netty-shaded, respectively.

Oops. That's for Epoll/Kqueue transports. For tcnative you need `-Dio.netty.handler.ssl.noOpenSsl=true` or `-Dio.grpc.netty.shaded.io.netty.handler.ssl.noOpenSsl=true`.
Reply all
Reply to author
Forward
0 new messages