I should explain further. The client is using openssl, the server is on firmwware and cannot use openssl. The server developer has rc4 code and we want to verify the encryption phase after the handshake phase. If I could give him separately(offline) the session secret he could verify the server rc4 encryption/decryption is correct, (again offline).
I find nothing for the session secret key, the closest is the write_mac_secret and read_mac_secret members of s3. That secret should be somewhere I could grab it with Visual C++.
-dreamer
Kyle Hamilton <[EMAIL PROTECTED]> wrote:
There's an SSL/TLS sniffer package that, when given the server's
private key, can obtain the master key used for a session and decrypt
the frames. I'm not quite sure what you mean by 'for development
reasons'.
It would (I'm not looking at the source here) probably be available
from one of the SSL_SESSION_get_ex_data indices.
Remember that the session master key is usually 24 or 48 bytes. The
upper 2/3 are the server key, the lower 2/3 are the client key. (This
depends on the version of SSL you're running, though -- I seem to
recall SSLv2 splitting the master key down the center.)
-Kyle H
On 1/26/06, DALE REAMER <[EMAIL PROTECTED]>wrote:
> I am working on a project, where, for development reasons, I need to
> obtain the secret session key from openssl. How do I do it, where is the
> key. I don't want to calculate it, I only need it to give to the server
> developer. We are using rc4-128 md5
>
> Thanks, dreamer
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
