I understand that's the case as the exchange progresses, but even when just having exchanged Hellos and gotten a server cert?
-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni Sent: Friday, August 28, 2009 2:30 PM To: openssl-users@openssl.org Subject: Re: Can I set the client hello challenge externally? On Fri, Aug 28, 2009 at 01:53:44PM -0700, Rene Hollan wrote: > Here's my issue, in some cases, after receiving the server certificate, > I may want to simply stitch the two ends together and drop out of the > communication. I figure I can do this if the MITM and client SSL state > are identical up to this point. That requires using the same SSL version, > certificate suite, session ID, and challenge in the two Client Hello > messages. The client and server internal state is not necessarily fully disclosed to the peer (in this case) MITM gateway, so the MITM gateway cannot faithfully emulate one peer to the other to arrive at the same SSL state (and still be able to decrypt and re-encrypt the traffic). This is for example true with kEDH ciphers. There may be other obstacles, but perhaps this is possible for weaker than kEDH cipher-suites. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org