Add support for the standardized NSS Key Log Format[1] for SSL/TLS keys. This format is already supported by Chrome/Chromium, Firefox, libnss, OpenSSL, BoringSSL, s2n, and many others. This file can then be used with Wireshark or other tools to inspect and decrypt the associated SSL/TLS traffic and help with debugging.

Specifically, this change introduces a new Java System Property (javax.debug.net.keylog) which takes a file name as a value and appends the keys to this file. Example:

java -Djavax.debug.net.keylog=tls_keys.log JavaApplication

We use a new Java System Property rather than just extending javax.debug.net because this configuration needs an output file. The purpose is to generate a file in a specified format, so if the output is commingled with other STDERR output (with possible line prefixes), it will be challenging for users to extract and convert it to the correct format. All existing values for javax.debug.net do not take configuration and there is no simple way to extend the parser for this property to handle configuration values. We chose to append rather than overwrite the file because the format safely handles continually appending data and remains useful to the parser.

Since these are cryptographic keys if the file is ever lost it cannot be recreated so we should err on the side of preserving the file. To aid in safely extracting individual runs we output a comment at the beginning of each run to the file with information about the time and PID of the Java process writing the file.

I opened this issue on behalf of Greg Rubin from AWS who is currently working on it.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format