The person requesting this change controls neither the server nor the client. They control the intermediate network. If they could log the ephemeral keys it would solve the solution, but only the server and client hold that.
As I understand it, if you don't have the server's private key it makes no difference whether a connection uses FS. FS merely means compromise of long-term keys does not compromise past session keys.
Surely for the presence of FS to be relevant, they must already have the server's private key, implying they do have control of the server?
Surely for the presence of FS to be relevant, they must already have the server's private key, implying they do have control of the server?