Re: locate key for p12 certificate

Mon, 12 Apr 2010 04:15:31 -0700 


Hi Peter, Patrick,

On 2010/04/08 2:10 PM, Patrick Patterson wrote:
> Hello Peter:
> 
> 
> On 08/04/10 3:45 AM, peter23452345 wrote:
>>
>> hi, i have been trying to create a certificate for use on my webscarab proxy.
>> essentially what i want to do is this: run a php curl script which redirects
>> certain https traffic though the webscarab proxy so that i can see the
>> output from the curl script (php curl doesnt provide visibility into the
>> http post string and i need to see this). i have already got this working
>> with regular http - but i need https.

[snip]

> No, you don't need the server's private key to see that web page - you
> simply need the public key (the key that is contained in the
> certificate) - all the RSA keys are being used for is to authenticate
> the server to you. The encryption isn't done using the key, it is done
> at the TLS/SSL layer, using a symmetric key negotiated between the
> client and the server. If you are curious as to how this works, the RFC
> describing the TLS protocol is quite clear.
> 
> In order for you to become an SSL Proxy and impersonate the server, you
> need to get the private key from that server. Since you say that the
> server is not under your control, this means that you are quite likely
> not authorised to impersonate this server by transparently proxying for
> it. It is for exactly this reason that people use TLS/SSL :)
> 
> So, the short answer is - until you can convince the administrators of
> the server that you are proxying for to hand over their private keys,
> what you want to do is not possible.
> 
> Have fun.
> 
> Patrick.

In fact, what WebScarab is doing is presenting an invalid certificate to
the client, which normally stops and gives the user the option to accept
that invalid certificate or abort the request.

However, curl as a scripted client doesn't really get the opportunity to
query the user.

That said, you can instruct curl in advance to ignore certificate errors
and warnings using the "-k" flag.

$ curl -k <whatever>

Hope this helps.

Rogan Dawes
WebScarab author

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to