Please read the RFC, it would clearly explain how the master secret is
dervied, and from that how the read and write keys are derived. With that
you can get to know how to extract the read n write keys. Meanwhile the read
and wirte keys are available as part of the ssl object.
Check that structure out.

Thanks
--Gayathri

On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam <
krishnamurth...@gmail.com> wrote:

> I have more than 100 clients that will connect to my server and communicate
> the data. I am implementing SSL on server side to authenticate the client
> certificate(X.509) and also client will authenticate the servers
> certificate. Once the mutual authentication has completed I have to generate
> master key for encryption and decryption.  I am going to use AES for
> encryption and decryption.
>
>  I had generated the client and server certificates using the bellow
> commands and signed by the root,
>
> 1. CLIENT CERTIFICATE:
>
> openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
>
> openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf  -extensions
> usr_cert -CA rootcert.pem  -CAkey rootkey.pem -CAcreateserial   -out
> clientcert.pem
>
> cat clientkey.pem  clientcert.pem rootcert.pem > client.pem
>
> openssl x509  -subject -issuer -noout -in client.pem
>
> 2. SERVER CERTIFICATE:
>
> openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
>
> openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf  -extensions
> usr_
>
> cert -CA rootcert.pem  -CAkey rootkey.pem -CAcreateserial   -out
> servercert.pem
>
> cat serverkey.pem  servercert.pem rootcert.pem > server.pem
>
> openssl x509  -subject -issuer -noout -in server.pem
>
> 3. ROOT CERTIFICATE:
>
> openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
>
> openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions v3_ca
> -sig
>
> nkey rootkey.pem -out rootcert.pem
>
> cat rootcert.pem rootkey.pem  > root.pem
>
> openssl x509  -subject -issuer -noout -in root.pem
>
>
>
> Initially I  am writing ssl/tls programming for server and client. In this
> I am able to communicate the data between client and server.
>
> I was struck on master key generation, I have added the below LOC to
> programs to get MASTER KEY,
>
> printf("session A\n");
>
> SSL_SESSION *session = SSL_get_session(ssl);
>
> SSL_SESSION_print(out, session);
>
> It is printing like this ,
>
>  session A
>
> SSL-Session:
>
>     Protocol  : TLSv1
>
>     Cipher    : AES256-SHA
>
>     Session-ID:
> 9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E
>
>     Session-ID-ctx:
>
>     Master-Key:
> 56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782
>
> 6B602878597465F739AD69091DDF6499
>
>     Key-Arg   : None
>
>     Krb5 Principal: None
>
>    Compression: 1 (zlib compression)
>
>     Start Time: 1314015355
>
>     Timeout   : 7200 (sec)
>
> Is this the Master key for both the server and client?
>
> Is this the key that should be used for the encryption in client side and
> decryption in server side?
>
> If this is the Master key how can I extract the key?
>
> Please guide me if I understood anything wrong.
>

Reply via email to