[openssl-users] SSL based Tunnel implementation

[Prabhat Puroshottam]

Hi,

We have software product which allows for Clients (C) to communicate with 
Agents (A) via a Proxy server (P). Client, Proxy and Agent all are part of our 
product suite. The data transferred can even be in Gigabytes (which actually 
are large files being transferred). Multiple client can communicate with 
multiple agents via the same Proxy. All data transfer happens via SSL. Right 
now, all data from coming from C is first decrypted at P and then encrypted 
again before being written to P, since separate connections exist between C & P 
and P & A, with separate SSL connections as well. This decryption/encryption at 
P is making overall communication slow, and is putting too much CPU load on P.

To improve this situation, we plan to make P a sort of tunnel for data coming 
from C to A and that coming from A to C. Here is the proposed process (similar 
to a socks proxy):

1. TCP Connection and Handshake: C <==> P. Call this connection C1.
2. SSL Handshake: C <==> P.
3. Application level Handshake and authentication: C <==> P.
4. TCP Connection and Handshake: P <==> A. Call this connection C2. On 
completion of this step C has successfully authenticated itself to P, and all 
data coming from C is henceforth copied to A and vice-versa.
5. SSL Handshake: C <==> A. This handshake is between C and A. P just forwards 
all data coming from C1 to C2. So C and A who will negotiate the communication 
parameters between themselves including SSL cipher suite, etc.
6. Application Level Data Transfer: P just copies all data coming from C1 to C2 
and vice-versa.
a. C => P => A (No encryption/decryption/interpretation – just plain copying of 
all data).
b. A => P => C (No encryption/decryption/interpretation – just plain copying of 
all data).
7. At some point, application Level Data Transfer Ends, and connections close.

I have two questions:

1. Do you foresee any problem/difficulties implementing this approach?
2. Is their a concern of man in the middle attack between step 4 and 5? If yes, 
how can we overcome that - any pointers?

-Prabhat

PS: We are using openssl library, and this is security related question, that 
is why I have asked this here. Please forgive me if you feel this post doesn't 
belong here.
  
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_get_verify_result returning 5 on SSL setup?

[Viktor Dukhovni]

On Fri, Sep 04, 2015 at 09:24:21AM +0200, Gait Boxman wrote:

> I'm occasionally getting code 5 from SSL_get_verify_result when attempting
> to setup an SSL/TLS connection to an MS Exchange server using v1.02a.

Show the relevant code that returns "5".  Most frequently "5" is
SSL_ERROR_SYSCALL, returned by SSL_get_error().  As you note, this
value is never set as the verification result by OpenSSL itself, so
unless you have verify callbacks that change the X509_STORE_CTX
error value, perhaps you're reporting the return value of the wrong
function.

-- 
Viktor.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_get_verify_result returning 5 on SSL setup?

[Gait Boxman]

Hi all,

I'm occasionally getting code 5 from SSL_get_verify_result when 
attempting to setup an SSL/TLS connection to an MS Exchange server using 
v1.02a.
I checked the source code, which shows it's 
X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, but I can't find where that 
is coming from. The error is listed and documented, but not used in the 
library anywhere AFAICT.
Can anyone tell me where this value might be set in the process, and 
where it is in the code? Could this be an error send back by the server?


Thnx, Gait Boxman.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users