On Wed, Jun 16, 1999 at 08:47:39AM +0200, Martin Hallerdal wrote:
> So according to you, knowing just the secret key of the server wouldn't be
> sufficient to decrypt the data without using brute force?
I did not say that, because I was assuming that the server's secret
key would not be known to the sniffer. However it is true anyway if
cryptographically sound SSL/TLS cipher suites are used, namely the EDH
ones (which are not supported by the most popular browsers, though).
If your goal is to see exactly what data the client and server
exchange over the encrypted channel, then the solution is to either
include such logging facilities in the server software, or have the
client communicate with an appropriate SSL tunneling program (rather
than directly with the server) which can log the cleartext data
and re-encrypt everything to the server.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
