imho - it is a bad idea to store a session encryption key. I think the whole idea behind dynamic keys is that they are not stored. PKI is used to negotiate a key.
If the session keys are static then, again imho, time would be better spent on code to establish dynamic session keys - that can be reestablished (i.e., new encryption keys) if the session is lost/interrupted. On Fri, Dec 6, 2013 at 11:19 AM, Sebastian Biedermann < [email protected]> wrote: > Dear developers, > > I work on a research project about SSL security. > Currently, I'm trying to identify and write the negotiated > symmetric AES key of a session to a file just by modifying the > apache2-2.4.6 source code. Until now, I was not able to identify > and locate the variable which temporary stores this key. > > In apache2-2.4.6/modules/ssl/*mod_ssl.c* > a new ssl connection is initiated in > int *ssl_init_ssl_connection*(conn_rec *c, request_rec *r) > and there are several structs, I guess one of them stores the key: > > SSLSrvConfigRec *sc; > SSLConnRec *sslconn > modssl_ctx_t *mctx; > server_rec *server; > > Unfortunately, there is very less information about this on the Internet > and I don't really know where to start. > Can anyone give my a hint or tell me which variable stores the aes key? > > Thank you! > > > -- > Sebastian > > >
