Grant Taylor wrote: >I would expect that steps #2 and / or #3 would have different values for
>nonces / ephemeral keys between on each end of the connection and that >this would be visible if you got deep enough into the TLS debugging. Yes, I would assume so. And we were headed that way: we were trying to figure out if there's a way to get session keys out of z/OS, since we were told the gateway cannot do that. Though I guess we wouldn't need them for the Client Hello, since that's not encrypted yet. But at some point, we would have hopefully noticed that difference, or noticed the double Client Hello. Obviously depends exactly where in the circuit the tracing would be. I guess with session keys we would have looked at the first encrypted packet the gateway got and maybe at that point said, "Why is this a Client Hello and why is it encrypted?" and maybe the penny would have dropped. Though if nobody had ever said "AT-TLS" I'm not sure it would have then-it's just such a bizarre thing. "Nobody EXPECTS the Spanish Inquisition."! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
