[EMAIL PROTECTED] wrote:
I have a question: is it possible to go through the ssl handshake process between a client and a server, and after the handshake is complete to stop using ssl and switch to plaintext?
Is this question hypothetical? Or is it "how do I do this with NSS's SSL library?"
There was a time, years ago, before NSS was integrated with NSPR and the SSL library became an NSPR I/O layer, when stopping SSL on a connection after a handshake only required two steps: 1. set the socket's SSL_SECURITY option to 0, disabling further SSL handshakes, and 2. call SSL_ResetHandshake to reset the SSL state machine to a pre-handshake condition.
That might still work. But it surely hasn't been tested in over 5 years. I think we can say that it is not a supported feature of NSS.
Another option might be to pop the SSL I/O layer off of the NSPR socket's I/O layer stack. Normally that happens in the normal course of closing an SSL socket. It might be difficult to close the SSL layer if you pop it off before closing it. But I'm sure it's feasible. It's all a small matter of programming. :)
Of course, doing this violates the SSL/TLS protocol, and leaves your connection with absolutely no ongoing security assurances of any kind. A connection is trivially hijacked once SSL is gone.
Don't even think about doing this in a mozilla extension!
The alternative suggested by others here, of using an SSL ciphersuite that does no encryption at least gives you ongoing assurances of authenticity and message integrity. It also should work OK in a mozilla extension.
/Nelson _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
