Bodo wrote:
> I am willing to add such functions (or I wouldn't have proposed to use
> the Finished message in the first place) and don't recall anyone
> stating that it violates the, ahem, design of the library. This also
> provides an opportunity to clean up the pertinent library internals
> somewhat -- s->s3->tmp.finished_md is currently also abused for client
> certificate verification (this contradicts source code comments
> somewhere else); we could use separate buffers for such verification,
> for the client finished message, and for the server finished message.
> Then it would be easy to add functions
>
> size_t SSL_get_client_finished(void *buf, size_t count);
> size_t SSL_get_server_finished(void *buf, size_t count);
>
> or something like that (I don't want to hand out pointers to the
> internal buffers because their content may change if renegotiation
> occurs, and application bugs related to this would likely stay
> unnoticed).
>
Bodo, you are the one exception. I spoke with numerous implementors
of SSL/TLS libraries at the Washington, DC IETF meeting and was told
flat at 'No'.
If you implement these functions in OpenSSL I will write an I-D for
the combined Telnet START_TLS (AnonDH) - Telnet Auth mechanism for
privacy with mutual authentication using non-TLS ciphers.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
