Arm Mbed and Pelion Device Management support forum

Can mbedTLS generate a session key log file?

I am using mbedTLS in the Windows environment for a very simple program. This program reads some data then performs a HTTPS POST with the data in JSON format. However, for some reason, the remote server keeps rejecting the JSON data as if the format is wrong. I would like to know if there is a way for the mbedTLS to keep a record of session keys so that I can decode packets captured on the WireShark. This is very much like the use of SSLKEYLOGFILE environment variable for recording Chrome or Firefox’s session keys.

Hi @acpie360
There isn’t such a way, however you can enable debug logs, to get the session key. You could also consider using the [MBEDTLS_SSL_EXPORT_KEYS] ( feature to get the master secret and\or the keyblock.
Mbed TLS Support

Hi, Ron,
For this export key API call
* \brief Configure key export callback.
* (Default: none.)
* \note See \c mbedtls_ssl_export_keys_t.
* \param conf SSL configuration context
* \param f_export_keys Callback for exporting keys
* \param p_export_keys Context for the callback
void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys )
conf->f_export_keys = f_export_keys;
conf->p_export_keys = p_export_keys;

Can you tell me what the third input parameter p_export_keys is for? Do you have an example on how to use this API? Thanks.

Hi @acpie360
The p_export_keys is an opaque structure to hold the context for your callback.
For example, the ssl_client2 application shows an example of how to derive eap-tls keys, using the extended export keys callback. Although this is the extended export functionality, the basic idea is same: have a structure that will hold all the information you need. In your case, store in your structure the master secret, so you could derive the session key.
More information can be found here.