Support dumping of crypto keys to an nss formated key log file

[mstoykov]

NSS key log files are more or less the only correct way that I have found to debug real HTTPS traffic. Given that HTTP2 is requiring TLS for all browsers (atm) I would guess practically 100% of the traffic generated by k6 is HTTPS one.

Golang does support it since 1.8, a thing that I just now realised as I have previously looked at the original issue.

This will require a some way of specifying a file to dump to ... I propose that we add a cli flag and env variable and name it as Firefox this, but with k6 in front - K6_SSLKEYLOGFILE.

Arguably this is more involved than the http-debug but also has the benefits of using wireshark to debug web traffic which IMO is the more powerful option, and I would guess a familiar one for people who have needed it.

This also ... automatically negates any shortcomings of the golang stdlib on reporting what it actually sends (#774 #986 #1042) and just looks at the actual data send through the wire.

[codebien]

As mentioned in a previous PR, it requires to add a new option in RuntimeOptions struct. This allows to skip it from the archive's generation and to not generate unexpected cloud (or from archive) executions.

The option should be a string where the user can pass a path to a writeable file.

ENV	CLI	JSON	Default
K6_SSLKEYLOGFILE	--sslkeylogfile	-	"" (disabled)

[chtnnh]

Hey @codebien ! I would like to take this up, is that possible?

[codebien]

Hey @chtnnh, sure! Let us know if you have any questions.

[chtnnh]

Awesome, thank you! Let me go through the code and your comment earlier and ask you whatever questions I come up with!!

[chtnnh]

Hey @codebien, so I figured out where I need to add the CLI options (Options and RuntimeOptions)

What I'm confused about is where I need to add the functionality to dump the crypto keys and read the environment variable in case the flag is not provided.

Sorry if this is naïve :/

[codebien]

Hi @chtnnh,

What I'm confused about is where I need to add the functionality to dump the crypto keys

This feature requires a set of the KeyLogWriter field in tls.Config struct.
We initialize the tls.Config in js.Runner, here:

k6/js/runner.go

Lines 195 to 203 in a66aa58

	tlsConfig := &tls.Config{
	InsecureSkipVerify: r.Bundle.Options.InsecureSkipTLSVerify.Bool, //nolint:gosec
	CipherSuites: cipherSuites,
	MinVersion: uint16(tlsVersions.Min),
	MaxVersion: uint16(tlsVersions.Max),
	Certificates: certs,
	NameToCertificate: nameToCert,
	Renegotiation: tls.RenegotiateFreelyAsClient,
	}

and read the environment variable in case the flag is not provided.

Here is an example of how to consolidate a runtime option from an env var:

k6/cmd/runtime_options.go

Lines 127 to 131 in a66aa58

	if envVar, ok := environment["K6_SUMMARY_EXPORT"]; ok {
	if !opts.SummaryExport.Valid {
	opts.SummaryExport = null.StringFrom(envVar)
	}
	}