Nope. You also need to sync up the HMAC, and unless you can sync your protocol state with the client that you're proxying, it's just not possible (to the tune of about 2^71:1 against).
-Kyle H On Fri, Aug 28, 2009 at 1:53 PM, Rene Hollan<rene.hol...@watchguard.com> wrote: > I have an issue where I have an INTENTIONAL man in the middle: two SSL > stacks, and the certificate provided by the server RESIGNED by a local CA (on > the fly), WHICH THE CLIENT TRUSTS (there is no funny business going on: the > client is intentionally using a MITM to inspect traffic on its behalf). > > So far, I've just been setting up two SSL sessions: client to MITM, and MITM > to server. Obviously the Client Hello challenges (client to MITM and MITM to > server) will be different. > > Here's my issue, in some cases, after receiving the server certificate, I may > want to simply stitch the two ends together and drop out of the > communication. I figure I can do this if the MITM and client SSL state are > identical up to this point. That requires using the same SSL version, > certificate suite, session ID, and challenge in the two Client Hello messages. > > SSL version and certificate suite are easy to set. But, is there an openssl > call to EXPLICITLY set the challenge sequence? (I'm not worrying about > session resumption at this point.) > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
