RE: Can I set the client hello challenge externally?

Fri, 28 Aug 2009 15:20:50 -0700 

Sorry, still don't get it: the DH exchange hasn't taken place YET when
client sends Client Hello and server responds with Server Hello, and
Server Certificate(s).

Should I still not have the freedom to chose at that point whether to
proxy or not?

-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Rene Hollan
Sent: Friday, August 28, 2009 3:00 PM
To: openssl-users@openssl.org
Subject: RE: Can I set the client hello challenge externally?

On kRSA, AFAIK, openssl does not provide a way to SET "client random" or
"server random" prior to starting the handshake (and, in normal
situations, there would be no need to do this).

-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni
Sent: Friday, August 28, 2009 2:50 PM
To: openssl-users@openssl.org
Subject: Re: Can I set the client hello challenge externally?

On Fri, Aug 28, 2009 at 02:38:50PM -0700, Rene Hollan wrote:

> I understand that's the case as the exchange progresses, but even when
> just having exchanged Hellos and gotten a server cert?

You can't MITM kEDH without changing the pre-master secret, which
means that you MUST stay in the middle if you don't want to disrupt
the connection.

You may be able to MITM kRSA and later drop out, but I am far from sure
about this, it is just not obvious to me why you can't provided the
"client random" and "server random" are not changed by the proxy.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to