Sorry, still don't get it: the DH exchange hasn't taken place YET when client sends Client Hello and server responds with Server Hello, and Server Certificate(s).
Should I still not have the freedom to chose at that point whether to proxy or not? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Rene Hollan Sent: Friday, August 28, 2009 3:00 PM To: openssl-users@openssl.org Subject: RE: Can I set the client hello challenge externally? On kRSA, AFAIK, openssl does not provide a way to SET "client random" or "server random" prior to starting the handshake (and, in normal situations, there would be no need to do this). -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni Sent: Friday, August 28, 2009 2:50 PM To: openssl-users@openssl.org Subject: Re: Can I set the client hello challenge externally? On Fri, Aug 28, 2009 at 02:38:50PM -0700, Rene Hollan wrote: > I understand that's the case as the exchange progresses, but even when > just having exchanged Hellos and gotten a server cert? You can't MITM kEDH without changing the pre-master secret, which means that you MUST stay in the middle if you don't want to disrupt the connection. You may be able to MITM kRSA and later drop out, but I am far from sure about this, it is just not obvious to me why you can't provided the "client random" and "server random" are not changed by the proxy. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org