Konstantin Ivanov
> I was wondering if it is possible to determine if client is requesting
> an ssl handshake on regular socket connection and if client does request
> it, continue with SSL handshake and enable secure communication? What is
> happening is that if I have a server, but I accept a connection using a
> regular socket (not OpenSSL accept) then I get the scrambled data from
> the client which I assume is an attempt to handshake with the server.
> Is it possible to determine if this is a handshake and if so, let this
> connection be secure? This is a custom application.
It's possible. It depends on what the non-secure protocol is. But if
it's
text, it's not too difficult. Just look at the first chunk of data you
receive. If it's all-text, assume it's not secure. Otherwise, assume it's
secure.
At first, I grabbed at least 3 bytes and checked for a valid HTTP verb
(GET, PUT, POST, and so on). If the first 3 bytes matched the first three
bytes of a valid HTTP verb, I assumed it wasn't secure. This worked
perfectly for HTTP/HTTPS auto-detection. (Though in theory, if a client
tried a new verb, we would mis-detect.)
After testing and experimentation, I discovered that for every text
protocol I cared about, simply testing if the first character received is
printable is sufficient. If so, it's not secure. If not, it is.
I've managed to do this without problems for SMTP, POP, HTTP, and a few
custom text-based protocols. Note that the protocol must be such that the
client sends data first. If the server must send data first, then there is
no way for the server to know what to send.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
