Support SSLKEYLOGFILE

[zphixon]

Hello, we are trying to debug our TLS setup for client auth (through the confluent-kafka Python package) and found that the SSLKEYLOGFILE environment variable is not being used. This feature would greatly help us :)

[zphixon]

If anyone else is running into this, I copied some code from here and it works fine in the limited testing I've done.

Diff from tags/v2.3.0 (GPL warning)

diff --git a/src/rdkafka_ssl.c b/src/rdkafka_ssl.c
index 85f745cb..a08721f4 100644
--- a/src/rdkafka_ssl.c
+++ b/src/rdkafka_ssl.c
@@ -497,6 +497,35 @@ fail:
         return -1;
 }

+#define FIRSTLINE   "# SSL key logfile generated by sslkeylog.c\n"
+#define FIRSTLINE_LEN (sizeof(FIRSTLINE) - 1)
+
+static int keylog_file_fd = -1;
+
+static void init_keylog_file(void)
+{
+    if (keylog_file_fd >= 0)
+        return;
+
+    const char *filename = getenv("SSLKEYLOGFILE");
+    if (filename) {
+        keylog_file_fd = open(filename, O_WRONLY | O_APPEND | O_CREAT, 0644);
+        if (keylog_file_fd >= 0 && lseek(keylog_file_fd, 0, SEEK_END) == 0) {
+            /* file is opened successfully and there is no data (pos == 0) */
+            write(keylog_file_fd, FIRSTLINE, FIRSTLINE_LEN);
+        }
+    }
+}
+
+/* Key extraction via the new OpenSSL 1.1.1 API. */
+static void keylog_callback(const SSL *ssl, const char *line)
+{
+    init_keylog_file();
+    if (keylog_file_fd >= 0) {
+        write(keylog_file_fd, line, strlen(line));
+        write(keylog_file_fd, "\n", 1);
+    }
+}

 /**
  * @brief Set up SSL for a newly connected connection
@@ -513,6 +542,8 @@ int rd_kafka_transport_ssl_connect(rd_kafka_broker_t *rkb,
         if (!rktrans->rktrans_ssl)
                 goto fail;

+        SSL_CTX_set_keylog_callback(rkb->rkb_rk->rk_conf.ssl.ctx, keylog_callback);
+
         if (!SSL_set_fd(rktrans->rktrans_ssl, (int)rktrans->rktrans_s))
                 goto fail;