I understand that's the case as the exchange progresses, but even when
just having exchanged Hellos and gotten a server cert?


-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni
Sent: Friday, August 28, 2009 2:30 PM
To: openssl-users@openssl.org
Subject: Re: Can I set the client hello challenge externally?

On Fri, Aug 28, 2009 at 01:53:44PM -0700, Rene Hollan wrote:

> Here's my issue, in some cases, after receiving the server
certificate,
> I may want to simply stitch the two ends together and drop out of the
> communication. I figure I can do this if the MITM and client SSL state
> are identical up to this point. That requires using the same SSL
version,
> certificate suite, session ID, and challenge in the two Client Hello
> messages.

The client and server internal state is not necessarily fully disclosed
to the peer (in this case) MITM gateway, so the MITM gateway cannot
faithfully emulate one peer to the other to arrive at the same SSL state
(and still be able to decrypt and re-encrypt the traffic).

This is for example true with kEDH ciphers. There may be other
obstacles,
but perhaps this is possible for weaker than kEDH cipher-suites.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to