On Wed, Oct 10, 2001 at 01:29:54PM -0400, Olga Kornievskaia wrote: [...] > USENIX web site: http://www.usenix.org/events/sec01). We modified the > OpenSSL handshake code to get a transcript of an SSL handshake (no > protocol modification were done) the reasons are stated in the paper. > Modifications to the library are minimal (under 200 lines of code) and > include a new data structure and calls to a function that saves the > incoming and outgoing handshake messages. Files that are affected are: > s23_srvr.c, s3_pkt.c, s3_srvr.c, ssl.h. You can look at the patch > http://www.citi.umich.edu/u/aglo/code/openssl/patch-0.9.6a > What I would like to know if it would be possible to incorporate these > changes and make them a part of the default distribution.
I don't think the patch should go into the OpenSSL distribution like that: It is quite specific to that application; also it does not add a proper API, instead applications have to access the data structure directly. Your paper shows that there can be a need for applications to observe handshake details. This could be done at BIO level as proposed by Douglas, but then the application would have to parse the data streams into records and reconstruct handshake messages from this. Also this would not work very well in the case of renegotiation (the application is interested in handshake message *cleartext*, but renegotiation takes place in encrypted form). Thus, it makes sense to modify the SSL library to make things easier. I contemplate adding to OpenSSL (0.9.7 -- 0.9.6c is for bugfixes only) a new callback hook that can be used for handling this. The application-defined callback would be called for every message received or sent. Then the application itself can store the message content if needed. (While the callback would not be called for application data, I see no reason to limit it to handshake messages. Alerts might also be of interest to applications.) This should be easy to do; the main difficulty is to devise an API that can be kept as consistent as possible across protocol versions. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
